Are copy machines a security risk?

Serendipity

Interesting CBS News video:
http://www.youtube.com/watch?v=XZJHjB5ybig

I didn't know copy machines did this, until I saw this video.

Wonder if this occurs on all copy machines or only with certain settings?

bobman1235

Any modern copy machine that does all the special features needs to store that stuff somewhere. Why that information is KEPT on the hard drive is beyond me. Shouldn't that info just be scrubbed regularly by the copier firmware?

Serendipity

If I understand correctly....

Modern copiers are multifunction devices - network printers, scanners, copiers, all in one. So that's why when you go to make 200 copies, it doesn't scan the page 200 times. It just stores the data somewhere and prints from that.

I don't know how many pages the HDD can keep, but it seems like a lot of data.

Jstas

Yes, they are a security risk.

NISP says so. So much so that it is a required entry in all NISPOM documents concerning print outs and copies.

I can't go in to further detail.

tonyb

Would it not make sense to have a function to clear the hard drive,scrub it?

WilliamM2

It's nice that CBS news informs the public about risks like this. Too bad they also informed thousands of criminals that didn't know about it either.

Serendipity

tonyb wrote: »

Would it not make sense to have a function to clear the hard drive,scrub it?

According to the video, if I understand correctly, that is an extra cost option.

WilliamM2

tonyb wrote: »

Would it not make sense to have a function to clear the hard drive,scrub it?

Of course. Or just store it in memory, like cheap home all-in-1 printer, scanner, fax machines.

Echosphere

WilliamM2 wrote: »

Of course. Or just store it in memory, like cheap home all-in-1 printer, scanner, fax machines.

I'm not positive but I think they have to have an HD to store all that data.

We used to get 1GB downloads from DHS in encrypted PDF forms with 1000 of pages. Then we would transfer those files to the massive network printer to print out, each day.

So, yeah, that's scary to know! Thanks OP!

brettw22

What did y'all think that % full number meant when you're scanning a 10 page report and it starts using the MEMORY......duh.

exalted512

Serendipity wrote: »

According to the video, if I understand correctly, that is an extra cost option.

It shouldnt be a $500 option to have your programmer...who youre paying anyway, to put that into the script.

-Cody

Sherardp

I have a MF machine at home that stores data too. I can go in the machine and wipe it, or just recall any thing sent or copied and it will bring it right up. So yes be aware of this.

PerfectCreature

Wow....this is ridiculous.
I never knew this. I will know be aware of, and most likly avoid these.
Think of like...your staples copiers....
I think I will be coping only at home...

mdaudioguy

No more sitting on the copier...

camp21178

I have worked on copiers for 29 years. The new multifunctional machines I work on have 180 GB hard drives on board. I went to recondition a machine a few weeks ago, and I saw an entire companies roster and what prescription drugs they were taking. I cleared the hard drive immediately of course. We now have an intensive clearing process that we undertake with every trade in. Department of Defense hard drives are left on site, and the Military destroys them. It's a real problem.

Echosphere

PerfectCreature wrote: »

Wow....this is ridiculous.
I never knew this. I will know be aware of, and most likly avoid these.
Think of like...your staples copiers....
I think I will be coping only at home...

:eek::eek::eek::eek::eek::eek::eek::eek::eek::eek::eek::eek::eek:

Just remembered that I had copies of my passport, birth certificate, and social security card about a month go at Kinko's....

WilliamM2

PerfectCreature wrote: »

Wow....this is ridiculous.
I never knew this. I will know be aware of, and most likly avoid these.
Think of like...your staples copiers....
I think I will be coping only at home...

Even if you avoid it yourself, there is no way to stop others from faxing your info, like the medical example in the video. I know from my recent surgery, that my doctor and surgeon were faxing info back and forth, and faxing scripts to the pharmacy as well.

dkg999

If you know the right code to input to most of the multi-function copy/scan/fax/print machines you can reprint the most recently printed documents that are still in memory. We also figured out that at least one brand of machine will reprint a file that is still on the print server. So the rule is to never copy sensitive documents at a client site if you don't want the risk of them getting to the info.

mmadden28

WilliamM2 wrote: »

Even if you avoid it yourself, there is no way to stop others from faxing your info, like the medical example in the video. I know from my recent surgery, that my doctor and surgeon were faxing info back and forth, and faxing scripts to the pharmacy as well.

One would hope that HIPAA compliance would take that into account and addressed just as the DoD does.

mmadden28

Jstas wrote: »

Yes, they are a security risk.

NISP says so. So much so that it is a required entry in all NISPOM documents concerning print outs and copies.

I can't go in to further detail.

What is a required entry in all NISPOM documents?
What are 'NISPOM documents'?

The NISPOM is a manual (unclassified and publicly downloadable) and it's purpose is for protection of classified information, and is only applicable to contractors and certain branches and agencies of the US Govt.

The NISPOM is not applicable for unclassified information (which may include personal, financial or medical info, etc) nor is it used as guidance for any other Govt agencies or mandates. As such it doesn't mandate any special procedures for copiers or printers unless they are specifically for use in classified information reproduction, and in that case the requirements only really address the protection and destruction of the media itself that may retain the classified information (hard drive, memory, developer drums, screens, etc) not the fact that the device is a copier or printer, etc. In the classified world just about everything is considered a security risk.

I'm not saying that retention in printers and copiers isn't a risk (whether hard drive based or using any other kind of non-volatile memory), but just because a document geared towards classified information protection says it's a risk, doesn't necessarily mean it is everywhere else. (I won't list any of the many potential examples here).

********************************************************

The example in the video of the copiers from the police dept is a good example that the fact that a hard drive retains info is not the only issue (e.g. original documents still on the platen), but that the original owners were careless with thier release of the equipment. Granted the internal hard drive certainly increases the risk exponentially, but the bigger issue is really no different than an individual or business discarding a personal computer without wiping or destroying the hard drives (or even minimally formatting them). This can also pertain to cell phones, PDAs, etc, etc, etc. I will also add that this is also along the same lines as disposing of sensitive documents without shredding them. And in many cases even if they are shredded, the shred size many be insufficient and only provides a false sense of security.

I applaud the media for exposing the issue and opening the eyes to the businesses and individuals that weren't aware of it. I was aware of the ability for copiers and printers, etc to retain such information as it is closely related to my job, however what I did not know what that there was such a lack of understanding of this, esp in the rest of the business world (as evidenced by the copiers bought in the video), and the possibility that businesses or governments that may otherwise properly protect my personal information, such as the 'authority to release', data encryption (in transit and at rest), data destruction (wiping and shredding), etc, etc., could have been compromised in some way is very scary indeed.

Like I mentioned, I would hope that requirements enforced by HIPAA and SOX, etc, etc, would have already addressed this type of issue (I don't know if they do or not), but if they do, then it was an epic fail for those businesses or HIPAA compliance auditors that should have identified the possibility or ensured the proper destruction of the data.
There isn't an Act like HIPAA or SOX for all aspects of business yet wrt the protection of PII; one good example might be a place like Kinkos with a shared and possibly publically useable copier but again I would hope that such a business is well aware of the retention issues and would already have addressed the risk such as by limiting procurement to devices that can automatically purge temp data (and of course, configured to do so). Now a local Library??? Hmmm.


After all, I recall it was not too long ago that I saw a similar media expose about the data left on the hard drives of discarded or resold personal computers. It was an eye opener for many back then, and even though that risk is still not completly obvious to everybody in this day and age, it is general knowledge anymore. Another example was the issue of thieves dumpster diving for credit card reciepts that consumers or businesses discarded that contained CC #s on them. Changes have since been made where the full CC# is no longer printed (although I still see a few from time to time) and if the issue wasn't publicised....

I'll bet that many are probably also still not aware of the lack of secure communications that are used within and between busnesses that are used to transmit the same data that may be stored on those copiers. While many businesses have addressed communications security, not all have, and most certainly not all individuals have. A great example would be email. It doesn't matter that the communications between you computer and the mail server is secure, or how secure your email provider maintains thier servers or internal procedures, etc., there is no requirement for security (encryption, etc) between mail servers throughout the internet, so at some point all email is at risk for exposure. Email signing and encryption is a solution, but it is still so early in its infancy as far as widespread use/adoption that it's not even really worth mentioning. Even companies that have procedures for email encryption don't always do a good job of enforcing it or even training its employees. At my company, one of my peers sent an email with his own Social Sec # in it, unencrypted. The email system picked up on this and prevented delivery of the email and flagged it--he (and his manager) were notified of the violation. This is a good example of a business trying to protect itself, it's employees and it's customers, but there is only so much that can be monitored. That example flagged on a known data pattern--not all sensitive data has a known pattern, esp if its within an image. If that user sent a scanned copy of a document (an image) with his SS# on it, it wouldn't have been detected and his email would have been sent out into the big bad world.


Back to the copier issue--I frown upon the companies that sell the copiers, etc, that have retention capabilities that don't have a built in ability to secure data either automatically or via a quick easy routine. I especially find it ridiculous that a company would charge an additional fee ($500???!!) for such a capability.

OK I've gone on long enough--sorry about that ---I'm off to bed now...

mmadden28

WilliamM2 wrote: »

It's nice that CBS news informs the public about risks like this. Too bad they also informed thousands of criminals that didn't know about it either.

Yep, two sides to every coin--it's a sad fact, but the public needs to know or it might not ever get addressed and help make a change happen. It's obvious that the copier companies are aware of the issue by the fact that some may only offer the wiping as an option (and sometimes for a fee)--maybe (MAYBE) public pressure might enforce a requirement somewhere down the road. Besides, I'll bet that most criminal organizations interested in such info probably already knew.

OK I'm off to bed for real now..:o

tonyb

mmadden28 wrote: »

Yep, two sides to every coin--it's a sad fact, but the public needs to know or it might not ever get addressed and help make a change happen. It's obvious that the copier companies are aware of the issue by the fact that some may only offer the wiping as an option (and sometimes for a fee)--maybe (MAYBE) public pressure might enforce a requirement somewhere down the road. Besides, I'll bet that most criminal organizations interested in such info probably already knew.

OK I'm off to bed for real now..:o

Yeap, I'm sure the criminal element was way ahead of CBS on this one. I never knew this and thank the OP for bringing it up as I know my wifes company never knew this either.