Dear Curves: respect your client and employee data


The subject of this post is a US based Curves Health Club and has nothing to do with the plus size clothing company Dearcurves (dearcurves.com).


After (finally) speaking with the owner I believe that the Curves in question now takes this matter of data security very seriously and that a similar situation will likely not take place. I believe that this was an isolated oversight and that the owners have learned a valuable lesson (i.e. they were scared shitless and will probably be more careful from now on).

I should clear some things up:

  • Before publishing this I did attempt to contact the Curves in question. My phone call went un-returned.
  • Beyond the phone numbers and addresses contained in the letters (WordPerfect docs) there was no other data found on the system.
  • The Curves database was encrypted and NO EFFORT was made to circumvent this encryption; no billing information (if any existed) was exposed.
  • I was slightly misquoted on The Consumeristno credit card information was found. My original post pointed out the potential for billing information to be found based off information I read about the iGo software.
  • The hard drive was wiped (by me) using DBAN and no copies of the original data exist.
  • Upon request demand of the owner the computer (and hard drive) were returned to them.


For future reference appropriate means of contacting me regarding posts on this blog are:

  • Via the comments form that is shown below every post.
  • Via my e-mail address [email protected] which is posted on the CONTACT page.


Inappropriate means of contacting me regarding posts on this blog:

  • Coming to my house.

Before I posted this I tried twice to talk to the manager of the offending Curves… both times I called they were “busy” or “out”. No one offered to take a message so I never left one. I’m not sure if it’s that they are not used to men calling (Curves is a women’s club) or if their customer service is just as crappy as their data destruction policy. Also, as I note below, I contacted the corporate office. After publishing this post I called the Curves again and left a message inviting the manager to read this post.

About two weeks ago now a relative found a Dell Inspiron 4500 sitting in the dumpster at the complex where he works. As the computer looked perfectly fine and it was obviously thrown out, he grabbed it to take a look at it. When he got it home and booted the system he found that the hard drive was still intact and other than running very slow the system seemed fine. He chalked it up to possibly having an infection, spyware or virus and determined that the folks who threw it out didn’t know any better than to just throw it away. It was later determined that the problem was a misconfiguration in the BIOS, the CPU was set to “compatibility mode” rather than “normal mode.” Once the BIOS was configured correctly the system ran perfect. Additionally, it was determined that the computer came from the Curves that resides in the complex.

Now I can cut Curves a small break for being idiots and throwing away a perfectly good computer, I mean the whole “compatibility mode” thing almost got me. However, what is completely inexcusable is the fact that they left the data on the hard drive intact; both customer and employee data.

I was able to find several documents (Word Perfect) that contained mostly trivial data, while still others contained phone numbers and addresses of both employees and clients. Even more disturbing the system still contained the Curves database “iGo Figure” which is really just an Access database. By looking at the features of the “iGo Figure” software you can see that the database potentially contains extremely personal information (i.e. credit card information). The database is password protected and while I didn’t; extracting the information from the database would likely be trivial.

I contacted Curves corporate office and was told by Pete that (I’m paraphrasing): Each Curves is responsible for their own systems, maintenance, etc. but he felt that this was inexcusable and he would contact the manager of the offending Curves to discuss the matter with them. He also asked me to wipe the hard drive.

No matter who you are or what your knowledge is if you run a business it is your responsibility to educate yourself (or pay someone) on how to handle technological issues like proper data disposal. There is simply no excuse for a scenario like this to occur.

Curves

The Access database:

Curves "iGo Figure" database

Notice the ironic warning about giving out phone numbers to clients:

Curves Phone Numbers

There were a few letters to clients, some contained full addresses:

Curves Client Letter

Curves Client Letter

After taking these screen shots the hard drive was wiped using DBAN. After editing all original versions of the images (to hide full names, addresses and phone numbers) the originals were securely deleted off my system.

Leave a Reply