UPDATE: Adam has been in contact with the owners and has posted an update on his site.
Reader Adam writes in to let us know his relative found a working Dell computer in the dumpster at his office complex. It appeared to be in functional condition, so he took it home. Sure enough, it took only a bit of tweaking before it was back to working order—as a Curves Fitness employee and customer information smorgasbord.
Adam dug around a little bit on the computer and found employee phone numbers, customer addresses, and credit card info. The Curves in question is located on 134th Street in Vancouver, WA. Adam called to let them know what happened, here was their response:
Before I posted this I tried twice to talk to the manager of the offending Curves… both times I called they were “busy” or “out”. No one offered to take a message so I never left one.
I’m not sure if it’s that they are not used to men calling (Curves is a women’s club) or if their customer service is just as crappy as their data destruction policy. In any case, as I said in the post, I contacted the corporate office. After I made this post I did call again and got voice mail; so I left a message inviting the manager to [read this post].
Adam also contacted Curves corporate before contacting the local franchise. They told him that, although each franchise is responsible for its own IT and privacy policies, they agreed that this franchise’s actions were inappropriate and they’d get in touch with the franchise.
Dear Curves, Respect Your Client and Employee
More From Consumerist
-
My Dell Touchscreen Computer Keeps Touching Itself
-
Trying To Get Out Of A Busy Grocery Store Quickly Is Just Tempting Fate
-
United Airlines Experiences System-Wide Outage, Leaves Travelers Stranded
-
Shouldn't We Be Able To Negotiate On College Tuition?
-
My Lemon Of An iMac Broke Down After Only Six Days
Interesting, look at the blog post at the end.
Trackbacks closed, comments closed… And it reads as if he was threatened with legal action…
this ids a huge deal. But, the reaction of management is what gets me. They must be so stupid. They are lucky this guy even called. This could d have been a huge thing for this franchise.
idiots
@GrandmaSideways: Yeah it was updated. He overwrote the original post. I like the liberal use of “take data security very seriously”.
The post was updated again (7/7)to reflect the accurate nature of the original posts removal.
I had been helping deal with this situation most of July 5th and need to clear up a few issues before people rush to judgement. I am a relative of the owner of the club. I helped track down the computer in question which is sitting right next to me as I type this. I am currently making sure the hard drive is wiped, and then destroyed, and the whole computer will be taken to the local recycling center.
1. This was an accident. The computer was sitting in a storage closet for over 3 years and was accidentally thrown out by an employee.
2. The computer was taken from a dumpster behind a LOCKED gate on private property.
3. Any personal information left on the hard drive was part of the GO FIGURE software. The data file created by this software is fully ENCRYPTED and multiple passwords are required to access it.
4. There was NO CREDIT CARD information on the computer. This Curves franchise DOES NOT accept credit cards nor have they ever accepted credit cards.
5. No voice mail was ever left with the club. This could have been cleared up immediately if the owner was called, which is the first phone number listed, or if the hard drive was brought back to Curves.
Also,
Adam has posted a letter backing up these claims on his personal blog.
if you guys think a curves is bad, how about a BANK?
That’s right.
a small bank where i used to live and actually bank with was going through a decent upgrade to their systems. great, it was long over due… gaining internet accounting about 4-5 years behind everyone else.
i was in the drive through, making a deposit when i spot some computers sitting on the curb. “Score! more project boxes!” i pulled right into the parking spot next to them, popped the trunk, through the 3 boxes in and took off.
got to school about 20 min later, pulled one out, plugged it into a test set we had in the lab, and fired it up. Win2k starts loading. Strange? why is this hard drive intact?
start digging around, the banking client software is still there, user names for their domain, share designations, links to internal web pages, the works. this thing was an id thief’s wet dream come true.
being the decent guy i was, i wiped all three hard drives with a 7x random re-write. then stopped by the bank on the way home, and withdrew all my funds, went 2 blocks down the road to wells fargo. within the next week, my entire family and everyone i knew had moved all their banking away from that institution.
when i escorted my mom in to move her mortage away from them, they asked why with a very sick looking face. i placed the 3 hard drives on the manager’s desk and laid out the entire story. i also told him exactly who else i had told this to, and the names began to ring bells as to who had been in the previous week closing accts.
i said if he didn’t get this handled promptly and quickly with zero cost, i would take what i know to the local papers.
i’ve never had a bank transaction go that fast in my life.
and no, i will not be providing the name of this bank. it’s part of our dealings that i never disclose. but it’s a small town bank, with no branches what so ever.
@TroyM27:
It’s nice to finally hear from someone from Curves. I understand how you feel regarding the situation; I understand that you got scared crap-less when you found out about this data breach. Nevertheless, you should take note in case you or someone you know is faced with similar criticism on a blog:
The blogosphere does not take kindly to being censored. It would have been better for you to of released a public statement explaining the breach and the action you are taking to insure that a similar situation does not occur again and perhaps apologizing. This situation as I understand it was quite minor (no billing info was exposed) and it would have been better of you to have commented (or e-mailed) the original poster (Adam) and explained your side the situation and offered a public statement for him to post. Forcing someone to remove content from their blog when they did noting wrong will likely only make you look worse.
I am not sure of the exact laws but you should understand that the computer was found in the TRASH. I don’t think anyone would argue that anything found in the TRASH is basically fair game; I mean common it WAS IN THE TRASH. Just because the trash can was behind a locked gate does not mean that the computer was disposed of securely.
You mention that the original poster (Adam) should have brought the computer back to your office. The computer was found in the TRASH and so why would anyone assume that you’d want it back? Fact is the second that it hit the trash can the damage was done, the data was compromised. Simply, the computer should have never been in the trash to begin with.
You say that the computer was in a store room for 3 years. That’s your excuse? Really? Regardless, the system should have been checked for data BEFORE it was thrown out. You simply assumed that it had nothing on it… you know what happens when you assume right?
I also notice that you are quick to throw your employee under the bus by saying that it was “accidentally thrown out by an employee.” Well, given the physical effort to pick the computer up and place it in a commercial trash can I’m pretty sure that the employee’s actions were quite intentional… at least I’m not sure how you “accidentally” throw a computer in the trash. Furthermore, it’s the owners responsibility to train and educate their employees, at the end of the day if the employee did not know better than to just throw it out – it’s the owners fault and responsibility.
If I were you I’d consider myself quite lucky. There are various alternative outcomes that would have resulted in far greater damage – i.e. The local news could have been contacted, a less honest person could have found the computer and used the information for evil. You don’t like what Adam did because it exposed you and your gross negligence.
I’d imagine that you learned a valuable lesson and you won’t let anything like this happen again; for that you should be thankful.
@TroyM27:
Furthermore – you say that the original poster (Adam) should have brought the computer back to you. Would you have preferred this action simply because it would have saved your butt or because you genuinely think that this was the best action…
I think what your saying is that things would have been much better if Adam would have brought the computer back to you so that you could cover up what had happened; yes I’m sure you would have much preferred to simply COVER UP the issue.
Original post has been put back up.