Feeds

eBay photocopier data risk ignored

Hidden danger of copier/printer hard disks

Providing a secure and efficient Helpdesk

Analysis The security threat from carelessly ditched computers increasingly applies to a much wider range of office equipment, as sophisticated storage technology finds its way into humble devices such as fax machines and printers.

The risk that sensitive documents might make their way into the hands of undesirables was neatly illustrated by a recent News of the World investigation, which discovered sensitive information on office kit sold through a second-hand supplier.

Multi-purpose photocopiers, which double as scanners and printers, use hard drives to store data. Firms frequently fail to apply basic security precautions before disposing of the equipment, which sometimes ends up on eBay or second-hand office equipment suppliers.

As part of an investigation the News of the World bought a number of second-hand copiers, one of which contained data left over from its use by defence supplier Cobham.

With the assistance of experts, the paper was able to recover documents and faxes including an April purchase order from aerospace giant BAE Systems and NATO briefing notes. It also found a direct debit instruction that gave away the details of one of the firm's bank accounts, along with an authorised signature and the personal details of one worker from a vetting request.

The Canon machine was bought for £411.25 from JKBM.com of Ashford, Kent, a reseller of second-hand office machinery and copiers, who exports much of the equipment that passes through its hands, especially to Nigeria and Ghana. The IR3100CN copier came with a 40GB hard drive.

The NotW passed on details of its find to privacy watchdogs at the Information Commissioner's Office.

Cobham told the NotW that it intended to change its equipment disposal procedures in the wake of the incident. "We take data privacy very seriously and have rigorous procedures," he said. "We are taking all necessary steps to recover the equipment and its data and ensure there's no recurrence."

Independent security experts said the photocopier data disclosure risk has existed for about eight years, but was poorly understood even today.

"Since about 2002 commercial copiers are built with hard drives for purposes of networking and multitasking," said Robert Siciliano, a security consultant at net security firm McAfee. "Organisations who upgrade their hardware are most often unaware of this fact.

"Once sold/donated/refurbished the data is up for grabs. Copiers need to fall under the same categories as computers and mobiles as devices that require compliance to security standards when reselling or disposing."

Harlan Simpson, director of data recovery firm Disklabs, explained that the majority of firms ignore the risk when it comes to getting rid of outdated kit.

"People are simply ignorant to the data stored on photocopiers - they just don't even realise that it's just data stored on a hard disk - the same as in their computers," Simpson explained.

"Because of this, it's treated like an old piece of hardware, not like the storage device it actually is. It's exactly the same with most fax machines."

"People have to learn which devices store data. Photocopiers, faxes, scanners, phones, computers, laptops, BlackBerrys, PDAs... all are potential data vulnerabilities."

While the risk involved in mobile phone are better understood, office kit disposal threat awareness is still in the 1990s, he added.

"We are all aware of the potential for data loss from BlackBerrys and memory sticks which has been frequently reported in the national press over the last few years. Disposing of a photocopier, fax machine, scanner, phone etc, in certain circumstances, can be no different to leaving a laptop or BlackBerry on a train or in a taxi.

"Everyone knows the risk with losing their laptops, few consider disposing of photocopiers in the same way. In some instances, we have even found the hard copies of documents left in the photocopiers."

Andrew Goodwill, a director at credit card fraud prevention firm 3rd Man, said that most of the copiers for sale through eBay are made available by second-hand firms. ®

New hybrid storage solutions

More from The Register

next story
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.