Digital Copiers @ Risk for Data Breach


Does your office have a copy machine? Better question: Did your office have a copy machine that was recently junked or sold for salvage? Or maybe your lease ran out and you were upsold for a newer model? Did you erase the hard drive?  Digital copiers are computers. Everything you copy on a digital copy machine gets saved to its hard drive. The hard drive might include payroll, medical records, merger & acquisition plans, labor negotiations, employee performance evaluations, even pending litigation….get the picture? The data can be accessed and stolen remotely; or, it can be downloaded it once the drive is removed….unless you erase the drive. Which begs a question: did you know you were storing all that information on the copier? If so, what could you have been thinking?! This is the functional equivalent of wearing a digital “Kick Me” sign.

Cases in Point: Affinity Health Plan, a New York insurance company, filed a breach report as required by the breach notification rule of HIPAA when CBS News informed Affinity that it had purchased a copy machine previously leased by Affinity, and that it had retrieved confidential medical information on the hard drive. Granted, it probably did not do much for Affinity’s brand to be outed by CBS News. Yet the risk to brand, to say nothing of possible litigation and fines is very real for both business and government in today’s digital environment.

CBS just went to a warehouse and put down $300 and carted the digital copier away. It was as simple as that. Actually, they bought 4 copiers; including one from the Buffalo Police Narcotics Unit (with lists of targets in major drug raids) and another that detailed domestic violence complaints and a list of wanted sex offenders. You guessed it…nothing had been erased. Their consultant was able to download tens of thousands of documents in less than 12 minutes. For the full story go to JD Supra Business Advisor.

Copiers have Life-Cycles, they are re-leased or sold throughout their life-cycle; some even get shipped overseas.  Make sure your data is erased before the machine is carted off. The best way to do that is to make someone responsible for doing just that, probably your IT department. Although not foolproof, your copier may offer encryption to encode data stored on its drive.  You may also have the option of doing an overwrite (overwrite is different from deleting or reformatting) on a regular basis – ask your IT guys about it. The Federal Trade Commission goes so far as to recommend putting a sticker on the machine saying “Warning: this copier uses a hard drive that must be physically destroyed before turn-in or disposal.”

Hypotheticals –  Can you think of an easier way to perform corporate espionage? Does your copier have a digital backdoor – a remote management interface – for routine remote upgrades and maintenance? If so, is it capable of self-protection by refusing a command? Do you have any idea of exactly what that repair technician is doing while servicing the copier? Did you check his credentials?

Good luck and happy copying!


One thought on “Digital Copiers @ Risk for Data Breach

  1. Excellent article John. The real world examples give much credibility to the subject.

    Tom Daly

    Sent from my iPhone Please excuse any typos sent from my mobile device.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s