Copiers: Gold Mines for Identity Theft

(KOVR)  Your doctor, lawyer, or tax preparer could all be unwittingly giving away your very private information. And they're doing it by using copy machines. You may already be a victim and not even know it, reports Tony Lopez of CBS Station KOVR in Sacramento.

The copy machine is an important and seemingly harmless part of our lives. And when it's time to upgrade, the old ones are sometimes sent to e-waste centers for recycling, but usually they wind-up in a wholesale warehouse on the used copier market.

KOVR went to one of two in Sacramento with John Juntunen, an expert on the copy machine business. There were hundreds of machines, shrink wrapped, and ready to shipment.

"You're looking at 15, 20 thousand documents each" Juntunen says - documents that still reside inside. Most copy machines use hard drives to store every document that has been scanned, printed, faxed, or e-mailed.

That electronic file will stay there until someone removes it or new documents push out the oldest ones.

"But this machine here, I can tell it hasn't been cleaned because of the IP-address on it" he says.

Juntunen, and his company Digital Copier Security, specialize in removing the data on those drives; they're hired by companies who know the importance of doing that before getting rid of their copiers.

As easy as tapping the screen, he finds files and is able to print them. One is a confidential child support application.

Like any potential buyer can do here, he connects a computer that allows him to see, download and print whatever is on the hard drive of one of these copiers.

One is a local machine from McCarthy Construction, a major commercial builder. On it, he finds what are clearly marked "confidential" financial statements.

We took it to their Roseville office. A vice president confirmed it is highly confidential, but was confused about how we had gotten it; he didn't want to talk beyond that.

"So here's documents that are stored on the machine" Juntunen shows us. Another machine, more documents -- it's just too easy.

This time we find financial records, including an IRA application for a woman named Marilynne Boyd. Marilynne's husband Harold couldn't believe what we had.

"They have the address, the social security number, they have the date of birth, I mean it's ridiculous" he says while reading the paper we gave him. And it's all in one document.

"It basically becomes an identity thief's dream" says Sean O'Leary. He's the senior analyst for Digital Copier Security. He says laws that prevent the release of private information aren't being enforced when it comes to copier data.

He blames a lack of awareness by authorities and by the businesses themselves.

The moment a copier, rich with files, leaves, let's say, a medical office, patient privacy laws have been violated. "The medical practitioners lost control of that medical file at that point, and that's information that nobody should have" O'Leary says.

Juntunen's office is filled with hundreds of hard drives, many containing thousands of files.

This drive came to us from a customer who bought the used copier from that wholesaler in Sacramento.

He replaced it with a new one but noticed it was loaded with files. On it - a document full of names and numbers, but there was one that caught us by complete surprise - the private information of Caroline Kennedy, the political family scion, socialite and sometime candidate. We dialed Mrs. Kennedy's home number, and her husband Edwin Schlossberg answered.

He had no interest in talking about how their privacy was compromised, and asked us to tear up the paper.

The next day, Mrs. Kennedy's assistant called to tell us "Caroline appreciates us bringing this issue to her attention. She was very surprised to hear about this and was not aware [of the problem]."

That page is one of dozens that were retrieved from a copier recently used by the bay area's Omidyar Networks." It's a philanthropic investment firm and was established by Pierre Omidyar, the founder of E-bay.

Also on that drive - files containing Omidyar business partners: billionaire financier George Soros and Google.

Among the documents there were e-mails, account summaries, budgets, non-disclosure agreements, and the Omidyar's financial contributions. And there was a document that contained the signature of a Google vice president and general counsel.

Right now, no one has a legal responsibility to wipe copier drives clean of potentially damaging data. Warehouses all over America are full of used copy machines containing millions of files just waiting to be mined by unscrupulous criminal profiteers.

Even more worrisome is that an estimated 70 percent of these machines will ultimately land overseas in China, Europe, everywhere. And data-filled hard drives that are salvaged from machines sent to E-waste recyclers; many will wind up for sale online.

"[It's an] issue that's going to have major ramifications. It's going to hit like a ton of bricks when it does hit" warns O'Leary.

Meanwhile, consumers like Harold Boyd and his wife are left, at best, wondering what's next.

"Uh, you and I will sit down and talk about because we don't know what's out there now. I mean this really scares you" Harold tells his wife over the phone.

Omidyar Networks said it appreciated us bringing this issue to their attention, and that it's using built-in security systems to protect the data on its copiers.

There is security software that offers some protection for the data on those hard drives but experts say they're not always used, and they're not 100 percent effective.

Digital Copier Security says its efforts to raise awareness are being met with indifference by authorities, copier dealers and lawmakers.

They say copier companies are reluctant to tell their customers about this document retention issue, because it would likely cost them an extra hundreds of dollars on top of the copiers cost.

Also know that public copiers like those at grocery stores, drug stores, and copy centers all likely have hard drives. You may want to ask management about their privacy policy regarding the data that's stored on those machines.

[patrick1921]

I've been working in the copier industry for a large corporation for over 20 years and the hard drives in copiers can be an issue, but there are numerous solutions for ti as well. I have all kinds of free copier advice I can give you and I'm not trying to sell you anything and i don't want anything in return. Get the facts without the sales pitch. Check out my site at www.copieradvice.com

[charlesmeza312]

is this story true? what free software does he use to connect the hard drive to a laptop? i would like to try it on my copy machine.

[paranoid74]

So WHY do copiers need HDD to save this information? I see NO useful reason for a HDD to save all copied/printed/faxed. Even scanned stuff should be deleted in 10 days or so. Sounds like the copier companies cold solve this easily, and for less than a $500.00 option!

[Vince_Jannelli]

For those folks that are new to this topic, this is a real eye opener. Some of you might be asking so what should I do? A first step is to realize that the best security solution is a layered approach. Simply, no single step or technology will provide 100% assurance. However, a comprehensive, layered approach will go a long way toward mitigating any threat to confidential or protected information and provide ease of mind. This has always been the key to Sharp?s approach?

To get started, consider some simple copier security tips:

1. Shred Your Digital Data: As illustrated in this story, residual data on your copiers hard drive can be the easiest way for confidential data to walk out your door. A low-cost Data Security Kit, informally known as a ?digital shredder,? can render data unreadable by first encrypting and then overwriting it after every job.

2. Protect your network: You computer network gives hackers an easy route into very heart of your firm. To protect yourself, all your network assets must protect against unwanted access. By securing your copiers network interface through MAC address filtering and port limiting helps you keep unauthorized visitors out.

3. Print Privately: Information theft can result from nothing more complex than simply forgetting that you have copied or printed a confidential document, or getting distracted on the way to pick up a document. Select copiers offer a Confidential Printing feature that requires users to enter a PIN code, similar to an ATM, before printing a document

4. Auditing Raises Awareness: Unauthorized use of equipment can be deterred if users know they?re being monitored. Electronic auditing of copier use allows you to monitor who, when and where an individual is using the copier, and hopefully to identify abuse at an early stage.

These are just a few of the steps that can be taken, so always ask your vendor about their layered approach, and don't take security for granted.

[MikeMarusic]

For the past 7 Years, Sharp has been trying to alert end users about this risk. Sharp was the first company to be certified by Common Criteria (governmental certification) for their security offerings, and has won MFP Security awards every year since. A few years ago, there were tv commericials on this too. In addition to the hard drive risk outlined in this story, there are also networking risks and Sharp continues to be the only company providing MAC Filtering on all products to protect the network access. This is a significant risk and people need to be aware of it. A great story.

[larrykovnat]

Great story, but I disagree with your point about copier companies not wanting to address this important issue with their customers. I lead Xerox?s product security group and spend my time working directly with customers to assess their security needs: identify where information resides, how it is transferred and the risk factors that exist in customer work processes. We estimate that more than 850 million impressions are created per year using printers and copiers, leaving large amounts of data vulnerable. As one of the posters points out, many single-function (that is, printers) and smaller products don?t have hard drives. For those that do, understand that each new job will overwrite the data from the job just before, so it is an exaggeration that drives have ?15, 20 thousand documents each?. However, relying on the next job to overwrite the previous job is not reliable, which is why our products come with encryption so that any data written to the disk is protected while at rest on the disk. This is coupled with an Image Overwrite Security feature that electronically "shreds" information stored on the hard disk(s) of devices as part of routine job processing. The electronic erasing can be performed automatically when each print job is completed or reset manually as needed. In addition, Xerox has a program to physically remove hard drives from the machines when the devices are being decommissioned or disposed of. The drives are turned over to the user for proper destruction or disposal, virtually eliminating the risk of unauthorized access to classified data. In addition to discussing these issues with our customers daily, we also host a site devoted to security issues that includes alerts and patches for vulnerabilities: Xerox?s security page.

Larry Kovnat, product security manager, Xerox Corporation

[2779time]

Larry:

None of the machines tested for this story, or the national story appearing on the CBS Evening News soon, were Xerox machines. It is not an exaggeration that for many makes/models currently in use; 15-25 thousand documents can be retrieved. Of course extraction methdologies, capacities, and complexities vary among makes/models, and as you know larger, more sophisticated machines oftentimes have multiple drives.

The question for XeroX given your product security statements would be....What are your field sales pros trained to do when they have "converted" a client from a competitor's make to new XeroX equipment? Given what I suppose to be a client-centric sales model, what do they tell the client about the old equipment? And how effective are they in implmenting this protocol?

I would like to continue this discussion....Sean, DCSI

[tmittelstaed]

Typically home printers do not have hard drives. Small home office printer/copiers also generally don't have hard drives, and even the mendium-sized printers and copiers don't usually have them either. But the larger copiers and network printers are a different story.

Generally if a copier or printer dies and is scavenged for parts and the drive is removed, it's not a problem because the ultimate user of the hard drive is unlikely to have the software to access the drive files, or take the time to do it.

The real problem is the used technology resellers. A good reseller, whether they are buying and selling old computers, or copiers, or anything with data on it, will wipe the data before resale.

The problem are the opportunistic sellers. For example I have bought and sold (to customers) several hundred Cisco routers from Ebay over the years (I work for an ISP) Many times I get routers from Ebay sellers who are used equipment dealers who get these devices as part of pallets of used equipment, and don't know what they are or what their value is, so they can't wipe them (nor do they know they need wiping) and these devices have names and network passwords still in the configuration files saved in the router firmware. Since it's not uncommon for admins to reuse passwords I probably could have broken into a few dozen corporate networks by now if I had wanted to spend time doing it.

I am troubled by something mentioned in this story, though:


"...Juntunen, and his company Digital Copier Security, specialize in removing the data on those drives..."

"...Juntunen's office is filled with hundreds of hard drives, many containing thousands of files..."


Now, I can understand why the guy has these drives, they are given to him by people like that guy who replaced his copier hard drive and noticed the old one had files, then brought it to Digital Copier Security since he was one of the few buyers with the wit to understand what it might have on it. These drives are leftovers from upgrades, most likely. But, what is DCS going to do with these drives? Blackmail the people who have data on them? Why the heck are they saving them? They know the data on them isn't their data, so they should wipe them and get rid of the drives. And if the drive is smaller than 100GB nobody is going to want it so you don't even have to bother wiping them and reselling them - you just take a plain old household drill and drill a hole right through the drive platters, then throw it in the recycling.

What is this guy going to do a week from now when some identity thief gang reads this story, and goes to his company with a few friends with guns and a big bag in broad daylight, and demands all the hard drives?

I have a problem with companies like DCS - if they don't have copier techs on staff and aren't repairing copiers then all they are doing is when the copier tech comes out to your business and updates that used copier you bought, and hands you the old drive before he leaves, DCS expects you to take the drive to them and pay you money to "dispose" of it. Some business - they just reprogram the drive with a large, heavy axe and sell their piles of drive fragments to the scrap aluminum smelter. They get money from both sides of the business for doing something that a high school dropout and a sawzall could do, and then put on airs and call themselves a "security company"

[2779time]

Let me clear up a few points. You have a fundamental misunderstanding of what DCSI does. We don't take drives from users and charge them for destruction......that would constitute a data breach with sanctions/penalties/fines ranging in the millions (depending on the industry). We never leave a user's premises without erasing the drive first, according to NIST standards. Our entire 11 step process is detailed on our website. And the news article mis-spoke about our inventory of drives....the ones they referenced in print and showed on the TV news segment are new drives, not used ones.

Breach and identity theft prevention are what we are all about, i.e. helping machine users stay compiant and protecting the public...I guess that qualifies us as a "security" company.

The reason I am responding now is that the national story, which if you are in the data anything business you will find most enlightening, will be running soon on CBS.

[Skruffy1]

Dang... next thing ya know, they'll be making a gizmo you can put a document in and you push a button and it'll make a digital copy. They could call it... let's see... a "scanner". Yeah, that's the ticket!

[Skruffy1]

Gosh, no s#$%?? You mean technology like copy machines, digital cameras, printers and stuff could be used to make -- ~gasp~ COPIES of stuff????!!! I am shocked, I tell ya...

[kenhamlett]

This is not new at all. Even before there were drives to capture digital images, copy stores were gathering copies of documents and gleaning them for any valuable information.
Since I notice this article originates in Sacramento, it should be noted that this trend originated right on Arden Way. Blog rules prohibit my giving the name of the company but they have been bought out by a larger company anyway. In any event Sacramento, as always, has the sleaziest reputation on the west coast and it is well deserved.
It is not the information traveling along with a used copier that is the story. It is the FACT that this information is stolen from you willfully by many copy stores. Beware.