Original post removed on 7/5 due to threat of legal action by the owner of the Curves franchise but I don’t like being censored so I have decided to put the original post back and reopen comments.
I have a new policy: I will not remove posts because people don’t like them
After speaking with the owner I believe that the Curves in question takes this matter (data security) very seriously and that a similar situation will likely not take place. I believe that this was an isolated oversight and that the owners have learned a valuable lesson.
I should clear some things up:
- Beyond the phone numbers and addresses contained in the letters (WordPerfect docs) there was no other data found on the system.
- The Curves database was encrypted and NO EFFORT was made to circumvent this encryption; no billing information (if any existed) was exposed.
- I was slightly misquoted on The Consumerist - no credit card information was found. My original post pointed out the potential for billing information to be found based off information I read on the iGo software.
- The hard drive was wiped (by me) using DBAN and no copies of the data exist.
- Upon
requestdemand of the owner the computer (and hard drive) were returned to them.
For future reference appropriate means of contacting me regarding posts on this blog are:
- Via the comments form that is shown below every post.
- Via my e-mail address adam [at] awaitinginspiration.com which is posted on the CONTACT page.
Inappropriate means of contacting me regarding posts on this blog:
- Coming to my house.
update: someone (TroyM27) calming to represent the owner of the Curves in question posted a comment on The Consumerist.
update: mranderson2008 makes some very good points.
update: Tyler Reguly posted about this on his blog.
Original post:
About two weeks ago now a relative found a Dell Inspiron 4500 sitting in the trash at the complex where he works. As the computer looked perfectly fine and it was obviously thrown out, he grabbed it to take a look at it. When he got it home and booted the system he found that the hard drive was still intact and other than running very slow the system seemed fine. He chalked it up to possibly having an infection, spyware or virus and determined that the folks who threw it out didn’t know any better than to just throw it away. It was later determined that the problem was a misconfiguration in the BIOS, the CPU was set to “compatibility mode” rather than “normal mode.” Once the BIOS was configured correctly the system ran perfect. Additionally, it was determined that the computer came from the Curves that resides in the complex.
Now I can cut Curves a small break for being idiots and throwing away a perfectly good computer, I mean the whole “compatibility mode” thing almost got me. However, what is completely inexcusable is the fact that they left the data on the hard drive intact; both customer and employee data.
I was able to find several documents (Word Perfect) that contained mostly trivial data, while still others contained phone numbers and addresses of both employees and clients. Even more disturbing the system still contained the Curves database “iGo Figure” which is really just an Access database. By looking at the features of the “iGo Figure” software you can see that the database potentially contains extremely personal information (i.e. credit card information). The database is password protected and while I didn’t; extracting the information from the database would be trivial.
I contacted Curves corporate office and was told by Pete that (I’m paraphrasing): Each Curves is responsible for their own systems, maintenance, etc. but he felt that this was inexcusable and he would contact the manager of the offending Curves to discuss the matter with them. He also asked me to wipe the hard drive.
No matter who you are or what your knowledge is if you run a business it is your responsibility to educate yourself (or pay someone) on how to handle technological issues like proper data disposal. There is simply no excuse for a scenario like this to occur.
The Access database:
![Curves \"iGo Figure\" database](http://media.awaitinginspiration.com/2008/curves/curves_file_2.jpg "Curves \\"iGo Figure\\" database")
Notice the ironic warning about giving out phone numbers to clients:
There were a few letters to clients, some contained full addresses:
After taking these screen shots the hard drive was wiped using DBAN. After editing all original versions of the images (to hide full names, addresses and phone numbers) the originals were securely deleted off my system.
The offending Curves is located at:
1313 NE 134th Street, Suite. 110 Vancouver, WA 98685 (360) 566-8333
Related: “Greg Weiss of Northland Church: Respect People’s Data”
{ 6 comments… read them below or add one }
Just another reason for me to remind my wife NEVER TO RETURN TO CURVES.
It’s a shame they felt they had to threaten you when you were trying to HELP THEM!
@Sean
No worries Sean… while the owner did threaten legal action they never specifically told me to remove the post. They told me that I need to post an apology but I’m still trying to figure out exactly what I’m supposed to apologize for. I do think that the owner owes me an apology for showing up at my HOUSE and screaming at me… but that’s just me. In any case I did feel threatened, so I removed the post and posted an apology at first… but then I came to my senses.
You didn’t need to apologize. Dumpster diving is not illegal. You did nothing wrong. The police don’t need a warrant to go through trash at a curb. Trash in a dumpster is not considered private property. They owe you an apology, I hope you get it.
@Tom-E
Thanks for the comment… I don’t think I will be receiving an apology form the owners any time soon. while I do believe that they learned their lesson regarding proper data disposal; I don’t think that they felt they did anything wrong per se.
What I’d really hope the owners would do is to apologize to their clients and train their employees on how to properly handle issues like disposal the of a computer so that something like this does not happen again.
I don’t know if you’re a little guy and/or easily scared or something but really you should have stuck to your guns on this. Next time talk to a lawyer before you cave to dumb phux
Ken,
I am what you’d call a “little guy” if what you mean is to say is that I don’t have an army of lawyers and what not to defend me… as for easily scared? I admit that after the owner and her husband showed up at my door screaming (the owner screamed at me, her husband acted pretty civil and even seemed annoyed by his wife’s actions) at me about calling layers and the police I did get scared. At their request I returned the computer, and replaced the original post with a “retraction” of sorts. A few days later I came to my senses, removed the “retraction” and put the original post back up - I didn’t like the feeling of being pushed around.
The funny this is that they [the owner(s)] were really, really concerned with me posting a retraction/apology on this site… this post has gotten maybe 3000 views since it was published. What they [the owner(s)] should have really been concerned with is the 13,000+ views its gotten over at the Consumerist… I don’t imagine they asked them to remove the post from their site; realizing that the Consumerist isn’t the “little guy”. I imagine that they [the owner(s)] thought they could punk me around and I’m a bit ashamed to admit that they succeeded… for a little bit anyway.
I put the original post back up because I don’t feel that I did anything wrong. What I posted is truthful and accurate. In the days following the owner(s) showing up at my house (screaming at me loud enough for neighbors to hear) I grew a pair and decided to republish.