Lifelock Settles With the FTC: Company To Pay $12 Million
TJX Hacker Gets 4 Years In Prison

Huge Data Breach Potential From Used Copy Machines

Early in my career, jobs at Xerox Corporation taught me how copy machines work. This WBZ Television news item definitely caught my attention:

"Copy machines today are just like computers... They have hard drives and can store data that can be extracted... Think about it. Your tax preparer, your mortgage broker, your doctor, chances are they have all made copies of documents containing your personal information. That means your social security number; your bank accounts and credit card information could all be sitting on a hard drive in an office copy machine... There are massive warehouses across the country filled with hundreds if not thousands of used copiers that are up for sale. Companies are supposed to wipe the hard drives clean, but that does not always happen."

It's good that the news media is now aware of and reporting this problem. In my experience, the threat is not from just copy machines but from the broader office equipment liquidation process -- how companies discard used office equipment: servers, routers, desktop computers, laptops, mobile devices, and external storage devices.

The liquidation process is supposed to work like this: a company hires an equipment vendor to buy, transport, and wipe clean the hard drives on the used office equipment it discards. The vendor is supposed to perform all of these tasks; and makes money by reselling the used equipment.

In reality, not all vendors consistently wipe clean the equipment they have been entrusted to cleanse. And, nobody at the client company checks or audits their performance. So, large amounts of sensitive data literally exit companies' doors on thousands of used copy machines, computers, laptops, and related office equipment.

It's the dirty little secret nobody within a company wants to discuss.

I first wrote about this used office equipment breach potential in September 2007. I am glad that the news media is now paying attention. The question: are corporate executives -- information technology and security professionals - paying attention? Within each company, who is auditing the used equipment liquidation process? Who is being held accountable?

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Nat Adam

So now that we know there's a problem, what's the fix? where's this forensic software cbs talks about?

George

Nat:

While I am sure many people are curious about the name of the forensics software CBS News mentioned, the more important issue is for companies to audit their equipment liquidation vendor... and hold the appropriate executives responsible (e.g., demoted, fined, and/or fired). Otherwise, data breaches will continue.

George
Editor
http://ivebeenmugged.typepad.com

Anonymous

I agree that the breach is ONLY when to scanner or copier is out of the office for checking or something, not when it's inside the office or something. Anyhow, it's possible to face this problem by giving the machine a hard format every time it's going out..

Mustafa

I think that it's time when everything should be kept in a much safer place, specially copy machines should be kept properly and not only this they should also be kept perfectly as well.

Joe

There is so much privacy problems in our digital world, we must think of wise solutions to protect our privet data. Hope an answer will come soon.

Richard F. Sands

Your blog provided us with valuable information to utilize. Each & every tips of this post are awesome. Thanks guys for sharing this.

Used Cat Equipment

I recognize that the violation is ONLY when to reader or photo copier is out of the workplace for verifying or something, not when it's in the workplace or something. Anyhow, it's possible to deal with this issue by providing it a challenging structure whenever it's going out.

The comments to this entry are closed.