Curves Leaves Working Computer Full Of Personal Information In An Office Dumpster

UPDATE: Adam has been in contact with the owners and has posted an update on his site.

Reader Adam writes in to let us know his relative found a working Dell computer in the dumpster at his office complex. It appeared to be in functional condition, so he took it home. Sure enough, it took only a bit of tweaking before it was back to working order—as a Curves Fitness employee and customer information smorgasbord.

Adam dug around a little bit on the computer and found employee phone numbers, customer addresses, and credit card info. The Curves in question is located on 134th Street in Vancouver, WA. Adam called to let them know what happened, here was their response:

Before I posted this I tried twice to talk to the manager of the offending Curves… both times I called they were “busy” or “out”. No one offered to take a message so I never left one.

I’m not sure if it’s that they are not used to men calling (Curves is a women’s club) or if their customer service is just as crappy as their data destruction policy. In any case, as I said in the post, I contacted the corporate office. After I made this post I did call again and got voice mail; so I left a message inviting the manager to [read this post].

Adam also contacted Curves corporate before contacting the local franchise. They told him that, although each franchise is responsible for its own IT and privacy policies, they agreed that this franchise’s actions were inappropriate and they’d get in touch with the franchise.

Dear Curves, Respect Your Client and Employee

Comments

Edit Your Comment

  1. agb2000 says:

    This is a common problem with franchises and small businesses that don’t have big IT departments with smart policies.

    Hey lawyers: can companies be held legally responsible for actions taken by people who steal their computers from their private dumpsters?

  2. u1itn0w2day says:

    Franchises responsible for it’s own IT and privacy policies??? Who is ultimately responsible?.Sounds more like ‘you can’t sue us.

    But still though,in a day and age of ID theft and countless reports you would think somebody might at least want to smash it with a weight or something.

    I would contact on of the people on the computer and let them know what you found and where you found it THEN see what happens.

  3. n0ia says:

    agb2000: While this is technically not the same thing, have you ever heard of HIPAA, or more importantly, PHI? Health care providers and institutions get fined heavily for not shredding customer information that gets discarded. Regardless of whether it’s going to end up in a “private” dumpster or not.

    I work for a major health care provider, and if we had PHI in a regular trash can rather than one that was designated to be taken to the shredder, and they did an audit and found it – even if it wasn’t out of the building yet – then we would be fined like crazy.

    And if this dumpster is located at an office complex, it hardly makes it private anyway. Anyone who is going to be disposing of electronic equipment, more specifically computers, should at least take 5 minutes and learn how to take the case apart and remove the hard drive, if nothing else.

    Take said hard drive to the firing range and pump it full of lead. Or just find someone who has a degausser and take care of it that way.

  4. tom2133 says:

    Probably not the sharpest knives in the drawer. You would think they wouldn’t consider recycling an old PC?

    (Well, they did throw away the computer.)

  5. pixiegirl1 says:

    If he found the computer in the dumpster the company no longer has ownership to the item. Once you throw something away you give up the rights to it. Now say he went inside of Curves and then took the computer out of the trash while still inside the company that would be another story, but he found it out back in the dumpster. Granted I”m not up to par with Curves privacy policy but I’m going to assume that they are 100% liable for the information on teh computer. The least they could have done before tossing it would be taking it to some computer store to have them at least wipe it clean before tossing it.

  6. MisterE says:

    I would be curious what actions (if any) Curves corporate would undertake to notify their customers of the data breach. Perhaps a trip to the local news media would inform past customers?

  7. I found a computer at my local high school the same way. In fact, it’s the one I’m typing on right now. All I did was “recover” the directory, and I now have a full line of Adobe products at my disposal.

  8. @pixiegirl1: Perhaps they brought it to “Geek Squad”. This seems about par with their level of idiocy.

  9. nsv says:

    @agb2000: Is dumpster diving illegal? I shred anything with personal information because I assume that once my trash is outside it’s no longer in my control.

    And if I’m throwing something away which might still have a useful life, I’ll put it on top of the trash can when I put the trash out. (I just did that with a file storage box and a bed frame.) It’s always gone by morning, before the trash is picked up. I figure that’s a good thing–somebody gets something they need, and it stays out of the landfill.

  10. ideagirl says:

    @agb2000: In California, the answer is yes

  11. It is comical to me that people are worried about ID theft. Doesn’t seem to be much theft at all to me. Companies give away your ID, are ordered to give away your ID by a judge, lose your ID, throw away the computer that has your ID stored on the hard drive, so really where is the theft? It is ridiculous that through no fault of my own some bastard can pretend to be me, and due to the laxness of people involved in financial transactions both large and small, I end up with only months of paper work if I am lucky.

  12. Prions says:

    I would not be surprised if the “relative” who got the computer used recovery software to get at that data.

    And the dumpster is still private property. So he’s trespassing. I call bad consumer but also bad company for not wiping all info or destroying the HDD.

  13. MercuryPDX says:

    @Prions: I would. If they threw it away because they couldn’t figure out how to get it out of “compatibility mode”, how encrypted do you think the data is to begin with? I doubt it even had a password protected Admin account.

  14. FrankReality says:

    It’s stating the obvious, but that Curves facility is lucky someone who is honest found that machine.

    Imagine if you will the following:

    1) A crook who steals the credit card info and uses it for personal gain.

    2) A crook who sells the card and personal information to a bunch of other crooks.

    3) The finder takes the PC to a lawyer who specializes in class action suits and gives them the PC in exchange for 10% of whatever the subsequent breach of privacy class action suit returns.

    4) Any combination of 1, 2 and 3 above.

    Other somewhat crazy, but cheap options for destroying the data on the drive:

    – use a power drill or drill press to drill a bunch of large holes through the disk platters.

    – crush the drive. Hydraulic presses and log splitters work great, but be careful,

    – beat the snot out of it with a sledge hammer or an axe.

    Degaussing, unless you have the industrial-strength and expensive type of degausser that is designed specifically for disk drives, is not effective. Tape degaussers just aren’t strong enough to do the job.

    If you live in a large city, you can probably find a company or two that will properly crush and shred disk drives and recycle the pieces.

  15. jackal676 says:

    I think it’s pretty sad when a company has computers but nobody working there who knows enough about them to do even the most basic maintenance. They could have at least formatted the hard drive with some simple googled instructions if they didn’t know how (although a single format doesn’t destroy the data enough to prevent recovery, it’s at least a step in the right direction). And to toss the whole tower in the dumpster? What a waste. I wonder if anything was even “wrong” with it, or if they were just replacing it with a newer system.

  16. sprocket79 says:

    On top of their complete and utter disregard for private information, Adam should also take this opportunity to chastise them for not recycling the computer. Computers don’t belong in the trash!

  17. kayfox says:

    My question is: Why was the computer in the dumpster? Although its not illegal to dump computers in all of Washington (yet), it is illegal in King county (Seattle).

    Really, more people should take their old computers to a local co-op or other recycling place, especially if its newer and can be fixed.

  18. kayfox says:

    Linkies for Vancouver, WA computer recycling:

    [www.cityofvancouver.us]

  19. kayfox says:

    @FrankReality:

    Eh, or you could just run DBAN on it.

    Linkie:

    [dban.sourceforge.net]

  20. RedSonSuperDave says:

    Setting a speaker magnet on the hard drive for ten minutes won’t erase it?

  21. thewriteguy says:

    @jackal676:

    Most people don’t know crap about computers, nor do they care to. They simply learn enough to get by. (And it’s not just senior citizens; I notice a lot of young people today — teens and people in their 20s — who don’t seem to know much about the workings of a computer, nor do they care to know. They grew up learning to interact with personal computer technology and gadgets by using their thumbs.)

    It’s the same thing with cars. Most people are not “car geeks”.

    I don’t think there’s an easy answer to this and the problems that will arise, such as this blog entry regarding Curves — but I don’t think the majority of people should be expected to become tech-heads, nor is it realistic for that to happen in even another generation. There will always be people who are “into” computers (I count myself as one) and who are interested in this tech/geek stuff, but people like us will always be the minority in society.

    All of these suggestions by others here (free software to securely eradicate the hard drive data, donating the old computers, taking out the hard drive)… It’s all good advice, but the people who really need to know it and practice it will not, because it’s neither their career skillset nor a subject that interests them personally. Just throw it in the dumpster — out of sight, out of mind.

  22. thewriteguy says:

    Another thing that I haven’t seen mentioned here:

    The guy who found the computer in the dumpster is honest and trying to do the right thing. But I’d be careful if I were him — Curves may misinterpret his intentions, and think that he’s a “terrorist hacker” who is extorting them. He could get a call from the local authorities or raided by the FBI, and be sued. Does that sound paranoid? Hey, in this day and age, I wouldn’t bet against that possibility.

    If it were me who found or came into possession of the computer, I would have just securely nuked the hard drive and be done with it.

  23. christoj879 says:

    @thewriteguy: Unfortunately that sounds all too possible. I can just imagine a bunch of out of shape middle-aged women with poor self-image: “That MAN took our information! Get him!” Or something funnier to that effect.

    I try not to open my mouth whereever possible, it just gets me in trouble. Saying nothing is the best policy.

  24. Gopher bond says:

    I don’t think Curves has much oversight on its franchises. My wife used to have a membership and apparently you can use any Curves facility you want. Good for travel and vacation. She seemed to indicate that there are wide ranges of quality across facilities and that some owners were overweight and just in it as a business, which is fine I guess but how good is it for business to have an overweight unhealthy Curves owner?

    Wouldn’t be to hard to assume that if the organization is lax about standards of its main product, it wouldn’t be too forceful about stuff like this.

  25. Greasy Thumb Guzik says:

    @nsv:
    Dumpster diving is legal in Chicago as long as it’s in the alley or not behind a fence.

    I found a computer [Dell] a year or so ago, it still worked & the owner was an employee of a very large specialty medical practice, but the employee was in HR & there were just a few work letters on it.
    I didn’t use the computer as it was Win ME, but I then put the hard drive into yet another Dell, with XP but a dead hard drive. Reinstalled Windows & it works fine.

  26. laserjobs says:

    I pulled a Dell from the dumpster in my condo complex. On it was a detailed monthly store sales breakdown from the local Best Buy. It must have been the store managers computer.

  27. littlemoose says:

    The local franchise (and Curves, if the relationship there was sufficiently close) could possibly be found negligent for not eradicating the personal information. But if some crook found it and committed fraud with the personal information contained on it, then neither Curves nor the local franchise would be liable for the fraud. (Not legal advice, people!)

  28. Munsoned says:

    @FrankReality: Aside from the actual client, lawyers aren’t allowed to give a percentage of a lawsuit’s proceeds to non-lawyers. Breach of state ethics rules. (They can pay salaries, etc., but I don’t think finders fees are even allowed.)

    This is why lawfirms are not public companies in the US.

  29. Eoghann says:

    @Munsoned: Lawyers pay for information all the time. Do you think Private Investigators do their jobs for free? As a consultant, I charged a fee to a law firm for recovering a HDD from a computer in a insurance fraud case. The case was settled, so I was never called as a witness in court to explain the procedure. But, there are rules for forensic data recovery, and I was paid. I’m not a lawyer, or a licensed P.I.

  30. Kevin Cotter says:

    Couldn’t Curves have been turned in for not improper disposal of a well-known lead containing device?

    The Resource Conservation and Recovery Act & EPA 40 C.F.R. pt. 260 would cover most of it…

    This another reason we should not shop at any franchisees. Each side of the business claims they are not responsible while consumers pay the price.

  31. attheotherbeach says:

    Did it use the FAT32 file system?

    LOL… I kill me!

  32. howie_in_az says:

    OP was completely wrong in this situation. Here’s how the initial phone conversation should have gone:

    OP: Hi, I need to speak to the manager about a data breach.
    Curves Employee: He’s not in right now.
    OP: That’s ok, I’ll call him at home.

    OP: Hi. I needed to talk to you about a data breach at the Curves you manage.
    Curves Manager at home: wtf?!

    OP has all the data and should have made a point of using it. Maybe then companies would be less likely to just throw out machines with tons of data on them.

  33. howie_in_az says:

    @kayfox: I’m partial to Eraser ([sourceforge.net])

  34. lordargent says:

    Aren’t there laws against just throwing away computer components because of the chemicals in them?

  35. ShadowFalls says:

    @lordargent:

    Yes there is, mostly because of the mercury and lead content in them.

  36. n0ia says:

    @RedSonSuperDave: Have you ever taken a hard drive apart? It has magnets in it far more powerful than a speaker. If it did any damage at all, it probably wouldn’t be enough damage to render all the data unrecoverable.

    One of the easiest and most effective ways to destroy a hard drive (assuming you don’t ever want to use it again) is to degauss it (it basically removes the magnetic field from the platters). Or you could just wipe the drive with a utility that wipes it, writes over it, wipes it, wipes over it, over and over again so that any data on the drive has been written over so many times it’s unreadable.

    I still think the most fun method of destroying a drive is to take it apart and have fun with the spindles… or shoot it.

  37. ptrix says:

    hmm, if i wanted to find a computer that was discarded in such a manner, where would be the best places to look, and when?

    i’m only asking because as far as any of you know, i’d like to do my part for the environment by making sure they are properly recycled or disposed of, instead of landing in a landfill

  38. D0rk says:

    At the company I work for(I do IT work for a global human resources outsourcing firm), we’re not allowed to let a single electronic component containing circuitry to hit the trash can. It’s all inventoried by serial and shipped out to a disposal vendor who at the point of pickup assumes all legal responsibility related to the proper disposal and any information on the computers.

    This is a clear case of ignorance for the level of information security necessary in today’s world. Even if the OP wasn’t out for malicious information theft, there’s thousands of people who dumpster dive specifically for the purpose of stealing information.

  39. baristabrawl says:

    @ideagirl: Same in Indiana. If you throw it away, even if it’s still on your property, it can be taken by anyone.

  40. timsgm1418 says:

    @nsv: try freecycle.com…I’ve gotten rid of a lot of stuff that way

  41. tenio says:

    data security really is a problem, i mean it seems like the only real way to keep data safe is to hit it with a hammer

    companies might soon force consumers to sign waivers saying “We [the company] are not responsible for any personal information lost or stolen from our computers”

  42. brian25 says:

    This would all be a moot point if the software they were using was using top-notch encryption and all the OP would have would be a Curves computer which he could not read the data. If the Health and Fitness industry clamped down on software vendors like VISA did for the PCI Compliance, then we would have less chance of a leakage.

  43. Gopher bond says:

    @ptrix: try the dumpsters at Schools and other local and/or obscure government facilities. Government is the best because everyone owns it, nobody actually paid for it (directly) and nobody cares about it but you’ll get in trouble if you take if for yourself. When you get a situation like that, useful stuff always ends up in the trash.

  44. snoop-blog says:

    @baristabrawl: nice to see another hoosier! Anyway, I can’t agree with dumpster diving. I view it as a total invasion of privacy. But I guess the worse that the economy gets, the more we will be seeing of it.

  45. bohemian says:

    We got a bunch of old computers through a charity resale event. One had personal data of every resident in an assisted living facility. The other had detailed information and address books for one of the state political parties. We tried to get in contact with someone at the assisted living facility but nobody would talk to us or call us back. We ended up using killdisk on both and went about fixing the computers for our own use.

    PC disposal is one privacy issue most people and most small businesses are totally clueless about.

  46. Aesteval says:

    @brian25: I think there’s a better chance to
    convince them to properly dispose of the data than to get them to
    encrypt their data in the first place. And technically they should be
    doing both.

  47. @agb2000: I’m not sure it counts as theft.

    One: According to some laws in some areas, once it’s in the trash, it’s public property. Anyone can take it. Even the police apply this rule to search trash cans and trash bags without warrants.

    Two: Even if it does not count as public property, the fact of the matter is it was located for service and usage on the office complex of which he worked therefore he has every right to insert and (if that’s your kind of thing) remove items from the trash as he so sees fit.

    Either way you look at it, Nothing illegal occurred here aside from a severe lack of sensibility in data security by Curves. Of course we all know the most effective way to destroy data: Sledgehammer.

  48. brian25 says:

    @Aesteval:
    I think you are missing the point. The software they are using to store and process customers is no GOOD. Like I said, if the Health and Fitness Industry clamped down on this problem, then the merchants would be much more educated about it. We can’t hope for a bottom-up approach, it has to be top-down. That’s why, for example, VISA started with the acquirers, banks, developers, and then merchants. Soon it will not matter to be ignorant about PCI, like healthcare privacy laws, because the industry and government will start fining.

  49. battra92 says:

    I know people who “dumpster dive” for PC parts but do so from the local dump who is okay with it. Less for them to pay for disposal on, I suppose.

    Very few people perform a good DoD wipe on their hard drives I’m afraid. One such hard drive I got via a similar method was DoD wiped before I even put it in a working PC. I was more worried about viruses then finding someone’s data but hey, I know I’d be happy if dumpster divers had a code of honor like that.

  50. TroyM27 says:

    This was posted on [www.awaitinginspiration.com] this evening.

    Dear Curves: respect your client and employee data [UPDATE]
    Saturday, July 5th, 2008

    I was recently contacted by the owner of the Curves mentioned in the original post: “Dear Curves: respect your client and employee data” and after our conversation I can assure you that the owner was very distraught regarding this data breach and that they take their client’s data security very seriously. It was explained that the computer in question had been placed in a store room that was being cleaned out; the computer was unfortunately thought to have contained no data and was thrown out by an employee who was operating under that assumption.

    Hindsight being what it is (20/20), I realize that the proper action would have been to take the computer (or at least the hard drive) back to the Curves in question and inform them of the problem. I sincerely apologize for taking the haphazard action that I did and there are some things that are important to clarify:

    * Beyond the phone numbers and addresses contained in the letters there was no other data found on the system.
    * The Curves database was encrypted and NO EFFORT was made to circumvent this encryption; no billing information was exposed.
    * The hard drive was wiped and no copies of the data exist.

    After my conversation with the owner I came away with the distinct impression that they take matters like this very seriously and they have measures in place to deal with old computers securely and this was simply an unfortunate oversight. I can assure you that in the case of this Curves they take data security very seriously.

    Adam Byers

  51. GrandmaSideways says:

    Interesting, look at the blog post at the end.
    Trackbacks closed, comments closed… And it reads as if he was threatened with legal action…

  52. this ids a huge deal. But, the reaction of management is what gets me. They must be so stupid. They are lucky this guy even called. This could d have been a huge thing for this franchise.
    idiots

  53. MercuryPDX says:

    @GrandmaSideways: Yeah it was updated. He overwrote the original post. I like the liberal use of “take data security very seriously”.

  54. awaitinginspiration says:

    The post was updated again (7/7)to reflect the accurate nature of the original posts removal.

  55. TroyM27 says:

    I had been helping deal with this situation most of July 5th and need to clear up a few issues before people rush to judgement. I am a relative of the owner of the club. I helped track down the computer in question which is sitting right next to me as I type this. I am currently making sure the hard drive is wiped, and then destroyed, and the whole computer will be taken to the local recycling center.

    1. This was an accident. The computer was sitting in a storage closet for over 3 years and was accidentally thrown out by an employee.

    2. The computer was taken from a dumpster behind a LOCKED gate on private property.

    3. Any personal information left on the hard drive was part of the GO FIGURE software. The data file created by this software is fully ENCRYPTED and multiple passwords are required to access it.

    4. There was NO CREDIT CARD information on the computer. This Curves franchise DOES NOT accept credit cards nor have they ever accepted credit cards.

    5. No voice mail was ever left with the club. This could have been cleared up immediately if the owner was called, which is the first phone number listed, or if the hard drive was brought back to Curves.

    Also,
    Adam has posted a letter backing up these claims on his personal blog.

  56. MacMasterShane says:

    if you guys think a curves is bad, how about a BANK?

    That’s right.
    a small bank where i used to live and actually bank with was going through a decent upgrade to their systems. great, it was long over due… gaining internet accounting about 4-5 years behind everyone else.

    i was in the drive through, making a deposit when i spot some computers sitting on the curb. “Score! more project boxes!” i pulled right into the parking spot next to them, popped the trunk, through the 3 boxes in and took off.

    got to school about 20 min later, pulled one out, plugged it into a test set we had in the lab, and fired it up. Win2k starts loading. Strange? why is this hard drive intact?

    start digging around, the banking client software is still there, user names for their domain, share designations, links to internal web pages, the works. this thing was an id thief’s wet dream come true.

    being the decent guy i was, i wiped all three hard drives with a 7x random re-write. then stopped by the bank on the way home, and withdrew all my funds, went 2 blocks down the road to wells fargo. within the next week, my entire family and everyone i knew had moved all their banking away from that institution.

    when i escorted my mom in to move her mortage away from them, they asked why with a very sick looking face. i placed the 3 hard drives on the manager’s desk and laid out the entire story. i also told him exactly who else i had told this to, and the names began to ring bells as to who had been in the previous week closing accts.

    i said if he didn’t get this handled promptly and quickly with zero cost, i would take what i know to the local papers.

    i’ve never had a bank transaction go that fast in my life.

    and no, i will not be providing the name of this bank. it’s part of our dealings that i never disclose. but it’s a small town bank, with no branches what so ever.

  57. mranderson2008 says:

    @TroyM27:

    It’s nice to finally hear from someone from Curves. I understand how you feel regarding the situation; I understand that you got scared crap-less when you found out about this data breach. Nevertheless, you should take note in case you or someone you know is faced with similar criticism on a blog:

    The blogosphere does not take kindly to being censored. It would have been better for you to of released a public statement explaining the breach and the action you are taking to insure that a similar situation does not occur again and perhaps apologizing. This situation as I understand it was quite minor (no billing info was exposed) and it would have been better of you to have commented (or e-mailed) the original poster (Adam) and explained your side the situation and offered a public statement for him to post. Forcing someone to remove content from their blog when they did noting wrong will likely only make you look worse.

    I am not sure of the exact laws but you should understand that the computer was found in the TRASH. I don’t think anyone would argue that anything found in the TRASH is basically fair game; I mean common it WAS IN THE TRASH. Just because the trash can was behind a locked gate does not mean that the computer was disposed of securely.

    You mention that the original poster (Adam) should have brought the computer back to your office. The computer was found in the TRASH and so why would anyone assume that you’d want it back? Fact is the second that it hit the trash can the damage was done, the data was compromised. Simply, the computer should have never been in the trash to begin with.

    You say that the computer was in a store room for 3 years. That’s your excuse? Really? Regardless, the system should have been checked for data BEFORE it was thrown out. You simply assumed that it had nothing on it… you know what happens when you assume right?

    I also notice that you are quick to throw your employee under the bus by saying that it was “accidentally thrown out by an employee.” Well, given the physical effort to pick the computer up and place it in a commercial trash can I’m pretty sure that the employee’s actions were quite intentional… at least I’m not sure how you “accidentally” throw a computer in the trash. Furthermore, it’s the owners responsibility to train and educate their employees, at the end of the day if the employee did not know better than to just throw it out – it’s the owners fault and responsibility.

    If I were you I’d consider myself quite lucky. There are various alternative outcomes that would have resulted in far greater damage – i.e. The local news could have been contacted, a less honest person could have found the computer and used the information for evil. You don’t like what Adam did because it exposed you and your gross negligence.

    I’d imagine that you learned a valuable lesson and you won’t let anything like this happen again; for that you should be thankful.

  58. mranderson2008 says:

    @TroyM27:

    Furthermore – you say that the original poster (Adam) should have brought the computer back to you. Would you have preferred this action simply because it would have saved your butt or because you genuinely think that this was the best action…

    I think what your saying is that things would have been much better if Adam would have brought the computer back to you so that you could cover up what had happened; yes I’m sure you would have much preferred to simply COVER UP the issue.

  59. awaitinginspiration says:

    Original post has been put back up.