IT In Crisis – Three Priorities for IT in 2010. Part 2

Updated: February 15, 2010

You'll never guess who's walking out your front door with confidential data. Yes, it's the guy who leases you your copy machine. When digital copy machines are replaced or come off lease they are wheeled out your front door with a disk-full of images that were printed, scanned, copied or faxed.

Digital copiers can't erase their hard drive so, at the end of their lease, gigabytes of images inside the copier are wheeled out your front door. Newer copy machines can only make the data unreadable to the copier itself but your data is still on the disk! If you have a network connected digital copier, additional information is retained on the copier such as IP addresses, DNS server IP addresses, Email addresses, etc.

A company called Digital Copier Security Inc (DCSI) is a pioneer in raising awareness to this security hole which exists at most companies. DCSI claims they have obtained "off lease" copy machines where they scanned the hard drives with proprietary utilities and have recovered thousands of pages of documents fully intact. Here are some examples of what they've recovered.

  • A complete home refinance application including applicant's full name, SSN, current employer, previous employers, bank account numbers, etc.
  • A Spreadsheet showing employee names and company issued credit card numbers.
  • Full Tax Returns
  • Confidential Medical records
  • Confidential Executive Business Reports
  • Over 20,000 documents were recovered from just one hard drive

You would never let a vendor walk out of your data center with a hard drive that is not scrubbed, but yet it is done every day with digital copiers.

Don't even think about removing the hard drive before releasing the copy machine, doing so would make the copier unusable and void your lease agreement. You would become liable for the complete cost of the copy machine. Don't expect the copy machine technician to purge the device; they don't have the technical knowledge of where all your information is stored, or how to purge it. Most technicians believe the copier is purged when the scans are no longer visible to the display, don't accept their ignorance. Also, don't think you can push the purging responsibility onto the leasing company as I guarantee your lease agreement doesn't require them to provide this service.

This is one of corporate America's biggest risks, yet I haven't found any company with security policies addressing digital copiers. Most end of lease copiers are sold overseas where recipients of these copiers (and your data) are not subject to US laws.

Do you know who has your old digital copy machine and all your data on its hard drive?

How many digital copy machines do you have that are ready to go off lease? How will you ensure your data doesn't go off site with the copy machine? How will you ensure your competitors or hackers won't get their hands on your data through your old copier? Are you at risk of lawsuits from employees or vendors that use your copy machines? This is a security issue we cannot ignore, and it's an issue without an easy solution. The options available are limited and can be very expensive for companies with multiple copiers. DCSI provides a certified disk scrubbing service. Another option is to purchase a "Security Kit" which is expensive and very inconvenient. Most companies disable the kits over the course of time because they are so troublesome. For more information about the subject of Digital Copier Security visit the website of DCSI at . (I am not affiliated with this company).

If you still are not convinced this is a major security issue, take a look at the following news video done by an investigative reporter.

If your company is regulated by SOX, GLB, HIPAA, FERPA or FTC Red Flags, a breach can be construed once your digital copier leaves your possession and control. Considering the costs of fines, penalties, sanctions, public notification, credit monitoring and damage to a corporate image, careful purging of these machines should be a top priority for every company.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more