Copy that: Assessing the risks of digital photocopiers

Bowes owns Purdy’s Wharf Business Centre, a suite of executive offices
in Halifax’s downtown core, which houses more than 40 business tenants.
Each business pays a tenant’s fee, which includes access to fax
machines, photocopiers, printers and other office supplies.

She was shocked to learn that earlier this year CBS news reported it
had purchased used photocopiers from a recycling depot in New Jersey,
and discovered the hard drives of those photocopiers were loaded with
confidential documents from the Buffalo Police Department, including
police reports and lists of wanted sex offenders.

Bowes knew it was important to encrypt or wipe the hard drives of
personal computers before disposing of them, but until she caught wind
of the CBS story, she had never given a second thought to the
photocopiers she and her tenants use on a daily basis.

“I’ve dealt with different manufacturers over the years, and none of
them have ever communicated anything to me about the hard drives on the
photocopiers,” she says.

Most modern photocopiers have internal hard drives that store digital
images of anything that’s photocopied. The data is stored unencrypted
and resides on the drive until it is full and new data overwrites it.
If companies don’t regularly overwrite or encrypt, they run the risk of
the data being compromised.

Given the ubiquity of photocopiers, and the fact they are often resold,
both within Canada and overseas without being properly sanitized,
Canada’s Privacy Commissioner is concerned about the potential for
identity theft.

“Identity theft is a significant and growing problem, and the
increasing frequency of data breaches involving personal information is
certainly a contributing factor,” says Anne Marie Hayden, Privacy
Commissioner’s director of communications.

While the Office of the Privacy Commissioner has not investigated
privacy issues related to photocopiers per se, it did conduct an
investigation on fax machines in 2005 and made recommendations that
resulted in amended policies across government departments and
agencies. Similarly, following an investigation of privacy issues
related to black boxes in cars the Privacy Commissioner’s offices
emphasized the importance of manufacturers providing some kind of
notification to customers about the existence and capabilities of these
devices ”“ so individuals are more aware.

“Although we have not had an opportunity to examine the photocopier
issue, I suspect we would say that notification (by manufacturers to
customers) would be important here as well,” says Hayden.

As with most data breaches, says Hayden, human error is often to blame,
so it’s critical that organizations put procedures and practices in
place to safeguard the data.

Bowes admits that, as a business owner, part of the responsibility
falls on her shoulders, but she also thinks the manufacturer and the
distributors have a role to play in educating their customers.

“We’re talking about my business reputation here, and your reputation
has to be squeaky clean. When it starts to mess with my reputation, we
have a problem,” she says.

It’s fair to say that manufacturers aren’t doing the best job educating
customers on the security risks with digital photocopiers, but at the
end of the day the buck stops with the users, says Darin Stahl,
research lead at Info-Tech Research Group in London, ON. Photocopiers
with digital hard drives have been around for more than 10 years, he
adds, but for a variety of reasons, security is often overlooked until
there’s an incident that puts a company at risk.

“This is no different than disposing of a laptop. Companies need to
treat these devices as a server and lock them down so they’re protected
from any unauthorized access on the network,” add Stahl. “Organizations
that are very concerned about intellectual property or privacy are
probably more clued into this than others, but those that don’t take
steps to protect their copiers could be leaving themselves vulnerable.”

Stahl points out that more often that not, internal employees can pose
the most significant threat, so the devices must be secured while they
are running on an internal network and sanitized before they are
decommissioned.

“If I have some disgruntled guy in a cube, he can attach to that
printer, and if it’s insecure he can query it, and get all the scanned
images off that device.”

Stahl advises companies to follow some basic steps to secure their
digital photocopiers, both while they are resident in the office and at
the end of life.

“The vendors we talk to say the most secure protection is to have the
hard drive encryption-and-erase kit installed on the machine when you
buy or lease it,” he says. Alternatively, companies can purchase the
field upgrade to make the drive unreadable if it’s removed from the
copier.

The bottom line, says Stahl, is that companies must treat all network-attached devices as a workstation and act according.

“They need to ensure printer patches are applied regularly, and, as the
copiers are decommissioned, companies need to have their vendors or
their internal staff certify that the machines are cleared,” he says,
adding that companies should brush off and review the National
Institute of Standards and Technology (NIST) guidelines for media
sanitation.
 
Xerox Product Security Manager Larry Kovnat agrees it’s important for
vendors to educate their customers and to provide the adequate
counter-measures for the threats introduced with a piece of digital
equipment, but he admits manufacturers probably haven’t gone far enough
in highlighting the risks to their customers.

“The ultimate measure of your success is whether or not people have
heard the message and a lot of people haven’t heard it,” he says. We
have more work to do.”

The photocopier manufacturer has tried to get the message out through
its Web site, security summits and general marketing collateral, but
Kovnat admits customers have been calling since the CBS news story
broke to find out the status of their recently decommissioned copiers.

“If the machines come back to us, they go into our reverse supply chain
and if they can be remanufactured or the parts can be used as spares,
disk drives are rewritten and reformatted,” he says. “If they’re too
old or broken to have any value they’re sent to a secure recycler who
crushes them or shreds them.”

For companies that purchase or lease Xerox photocopiers, there are two
options for overwriting the hard drive: immediate image overwrite, an
online, automatic process that overwrites all the sectors with any
temporary image data written to them as part of a scanning or copying
process, and on-demand image overwrite, an offline, manual process.

Bowes say she will be making a call to her distributor, given the
confidential nature of the data on the photocopiers, and the fact they
are shared among a number of companies in her business centre.

“There may very well be information in the owners manual, but that’s
800 and some pages,” she says. “I don’t necessarily blame the
distributor or the manufacturer. I blame the whole system, which has
not properly passed down this information to the customer.”