Earlier this week, the CBS Evening News broadcast a segment about data breaches via used copy machines. It was good to see this problem highlighted on a national news broadcast. The problem is huge and needs lots of attention.
Regular readers of this blog already know about the issue since I blogged about the used copy machine breach problem over a month ago. CBS News reported this week:
"Nearly every digital copier built since 2002 contains a hard drive - like the one on your personal computer - storing an image of every document copied, scanned, or emailed by the machine. In the process, it's turned an office staple into a digital time-bomb packed with highly-personal or sensitive data... It took [a data expert] just 30 minutes to pull the hard drives out of the copiers. Then, using a forensic software program available for free on the Internet, he ran a scan - downloading tens of thousands of documents in less than 12 hours. The results were stunning: from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders. On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid."
And, used copy machines are sold to buyers both inside and outside the USA. In my view, progress will be made only when company executives are held accountable for selling used machines that have not been cleansed of sensitive data. Not fines, but jail time.
More importantly, the threat is not from only copy machines but from the broader office equipment liquidation process -- how companies discard used office equipment: servers, routers, desktop computers, laptops, mobile devices, and external storage devices.
The liquidation process is supposed to work like this: a company hires an equipment vendor to buy, transport, and wipe clean the hard drives on the used office equipment it discards. The vendor is supposed to perform all of these tasks; and makes money by reselling the used equipment.
In reality, not all vendors consistently cleanse the equipment they have been contracted to cleanse. And, nobody at the client company checks or audits their performance. It's the dirty little secret nobody within a company wants to discuss. In September 2007, I wrote about a breach via used office equipment liquidation.