Early in my career, jobs at Xerox Corporation taught me how copy machines work. This WBZ Television news item definitely caught my attention:
"Copy machines today are just like computers... They have hard drives and can store data that can be extracted... Think about it. Your tax preparer, your mortgage broker, your doctor, chances are they have all made copies of documents containing your personal information. That means your social security number; your bank accounts and credit card information could all be sitting on a hard drive in an office copy machine... There are massive warehouses across the country filled with hundreds if not thousands of used copiers that are up for sale. Companies are supposed to wipe the hard drives clean, but that does not always happen."
It's good that the news media is now aware of and reporting this problem. In my experience, the threat is not from just copy machines but from the broader office equipment liquidation process -- how companies discard used office equipment: servers, routers, desktop computers, laptops, mobile devices, and external storage devices.
The liquidation process is supposed to work like this: a company hires an equipment vendor to buy, transport, and wipe clean the hard drives on the used office equipment it discards. The vendor is supposed to perform all of these tasks; and makes money by reselling the used equipment.
In reality, not all vendors consistently wipe clean the equipment they have been entrusted to cleanse. And, nobody at the client company checks or audits their performance. So, large amounts of sensitive data literally exit companies' doors on thousands of used copy machines, computers, laptops, and related office equipment.
It's the dirty little secret nobody within a company wants to discuss.
I first wrote about this used office equipment breach potential in September 2007. I am glad that the news media is now paying attention. The question: are corporate executives -- information technology and security professionals - paying attention? Within each company, who is auditing the used equipment liquidation process? Who is being held accountable?