Feeds

eBay photocopier data risk ignored

Hidden danger of copier/printer hard disks

Top 5 reasons to deploy VMware with Tegile

Analysis The security threat from carelessly ditched computers increasingly applies to a much wider range of office equipment, as sophisticated storage technology finds its way into humble devices such as fax machines and printers.

The risk that sensitive documents might make their way into the hands of undesirables was neatly illustrated by a recent News of the World investigation, which discovered sensitive information on office kit sold through a second-hand supplier.

Multi-purpose photocopiers, which double as scanners and printers, use hard drives to store data. Firms frequently fail to apply basic security precautions before disposing of the equipment, which sometimes ends up on eBay or second-hand office equipment suppliers.

As part of an investigation the News of the World bought a number of second-hand copiers, one of which contained data left over from its use by defence supplier Cobham.

With the assistance of experts, the paper was able to recover documents and faxes including an April purchase order from aerospace giant BAE Systems and NATO briefing notes. It also found a direct debit instruction that gave away the details of one of the firm's bank accounts, along with an authorised signature and the personal details of one worker from a vetting request.

The Canon machine was bought for £411.25 from JKBM.com of Ashford, Kent, a reseller of second-hand office machinery and copiers, who exports much of the equipment that passes through its hands, especially to Nigeria and Ghana. The IR3100CN copier came with a 40GB hard drive.

The NotW passed on details of its find to privacy watchdogs at the Information Commissioner's Office.

Cobham told the NotW that it intended to change its equipment disposal procedures in the wake of the incident. "We take data privacy very seriously and have rigorous procedures," he said. "We are taking all necessary steps to recover the equipment and its data and ensure there's no recurrence."

Independent security experts said the photocopier data disclosure risk has existed for about eight years, but was poorly understood even today.

"Since about 2002 commercial copiers are built with hard drives for purposes of networking and multitasking," said Robert Siciliano, a security consultant at net security firm McAfee. "Organisations who upgrade their hardware are most often unaware of this fact.

"Once sold/donated/refurbished the data is up for grabs. Copiers need to fall under the same categories as computers and mobiles as devices that require compliance to security standards when reselling or disposing."

Harlan Simpson, director of data recovery firm Disklabs, explained that the majority of firms ignore the risk when it comes to getting rid of outdated kit.

"People are simply ignorant to the data stored on photocopiers - they just don't even realise that it's just data stored on a hard disk - the same as in their computers," Simpson explained.

"Because of this, it's treated like an old piece of hardware, not like the storage device it actually is. It's exactly the same with most fax machines."

"People have to learn which devices store data. Photocopiers, faxes, scanners, phones, computers, laptops, BlackBerrys, PDAs... all are potential data vulnerabilities."

While the risk involved in mobile phone are better understood, office kit disposal threat awareness is still in the 1990s, he added.

"We are all aware of the potential for data loss from BlackBerrys and memory sticks which has been frequently reported in the national press over the last few years. Disposing of a photocopier, fax machine, scanner, phone etc, in certain circumstances, can be no different to leaving a laptop or BlackBerry on a train or in a taxi.

"Everyone knows the risk with losing their laptops, few consider disposing of photocopiers in the same way. In some instances, we have even found the hard copies of documents left in the photocopiers."

Andrew Goodwill, a director at credit card fraud prevention firm 3rd Man, said that most of the copiers for sale through eBay are made available by second-hand firms. ®

Beginner's guide to SSL certificates

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.