Biggest thing is that CC info still being on there. That is grossly irresponsible.
Not that I approve ripping people off, but hard to sympathize with Handy when Handy treats (treated?) its employees and workers poorly.
As for the whole transferring over of assets without any secure certs, that's pretty shady and/or lazy not doing that.
Cue someone from said company posting, "oh sorry we're not ready for public and that accidentally got sent" without mentioning why they even have the author's data or why the author's credit card data was apparently sold off.