What happens to your data when a company dies?
Blockbuster. Borders. Toys-R-Us. Sears. The list of long-established companies that have gone belly-up over the last few years is long. But while these organizations may be gone, the data you shared with them lives on. And it can end up being transferred, acquired, or accidentally shared with entities you probably don’t want to have it.
The story of Netlink Computer (NCIX) is an instructive example. After the Canadian electronics retailer declared bankruptcy at the end of 2017, it left behind more than $35 million in unpaid bills, as well as hundreds of PCs, servers, and hard drives from its back-office operations. Some of that hardware was sold at auction by NCIX’s bankruptcy trustee. Other machines, apparently confiscated by NCIX’s landlord in lieu of $150,000 of unpaid rent, made their way to Craigslist.
Travis Doering, owner of Vancouver-based security firm Privacy Fly, saw the listing for the NCIX servers and asked to look at them. There he discovered more than 13 terabytes of unencrypted data, including the contact information, passwords, and full credit card details for more than 250,000 of NCIX’s customers–information going back some 15 years.
The Craigslist seller’s asking price of $35,000 wasn’t for the hardware; it was for the data contained on it, Doering says. (The seller also offered to let him simply copy all the data for $15,000.)
Finding data left behind on discarded hardware is not uncommon, Doering says. But this was an extreme example.
“What makes this set of data so damaging is that it contains every [customer] record NCIX ever held,” he says. “Most of the time, if you’re lucky, the data doesn’t end up in the hands of someone who has malicious intent.”
After Doering blogged about his discoveries, the Royal Canadian Mounted Police confiscated the remaining machines. But by then the data had already been acquired by multiple buyers, who could potentially use it to commit identity theft, credit card fraud, phishing attacks, or account takeovers.
The Office of the Information and Privacy Commissioner for British Columbia opened an investigation into the breach but is prohibited from commenting on its results, says representative Michelle Mitchell. She adds that NCIX or its trustee may have violated Canada’s Personal Information Protection Act (PIPA), which requires organizations to use reasonable security measures to protect the transfer of personal information when a business is sold.
There are two class action suits currently pending against NCIX and related parties, one from customers and the other from former employees, alleging violations of PIPA.
But in the United States, when a company goes under or gets sold, customer data is often the most valuable asset it holds—one it can usually sell or transfer to another entity, depending on the terms of its privacy policy.
When RadioShack tried to sell data on 117 million customers as part of its 2015 bankruptcy proceedings, for example, the Federal Trade Commission and 38 state attorneys general pushed back. The defunct electronics retailer ultimately agreed to destroy most of the data, including customers’ credit card, Social Security, and phone numbers, but it still collected $26 million for their names, email addresses, and transaction information.
The reason consumer privacy semi-prevailed? The company’s privacy policy had promised to “not sell or rent your personally identifiable information to anyone at any time.”
In 2013, defunct dating site True.com was prevented from selling its database of 43 million dating profiles to rival site PlentyOfFish for the same reason.
Restrictions on data transferrals like those in RadioShack and True.com’s privacy policies are rare. As Marshall J. Hogan, an attorney with Foley & Lardner LLP, writes, most current privacy policies contain a provision allowing for the transfer of customer data if a company is dissolved or sold.
Doering says the NCIX scenario could have been avoided, if the company had fully encrypted its drives or destroyed them, as bankruptcy loomed. An admitted privacy extremist, he advises consumers to offer up as little of their personal information to commercial businesses as they can—supplying companies with fake names, shipping to P.O. boxes instead of home addresses, and paying in cash or via PayPal, which requires far less personal information than a credit card transaction.
Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, says the burden is on consumers to understand the privacy policies of the companies they do business with, and to stay abreast of changes in a company’s financial situation.
“My best advice would be to try to delete any personal data held by a company before it is transferred to the new entity,” he says. “Consumers can typically be alerted to the possibility of the future sale or bankruptcy of a company through the news media. Once the data has been transferred, there’s not much that can be done.”