Feeds

eBay photocopier data risk ignored

Hidden danger of copier/printer hard disks

SANS - Survey on application security programs

Analysis The security threat from carelessly ditched computers increasingly applies to a much wider range of office equipment, as sophisticated storage technology finds its way into humble devices such as fax machines and printers.

The risk that sensitive documents might make their way into the hands of undesirables was neatly illustrated by a recent News of the World investigation, which discovered sensitive information on office kit sold through a second-hand supplier.

Multi-purpose photocopiers, which double as scanners and printers, use hard drives to store data. Firms frequently fail to apply basic security precautions before disposing of the equipment, which sometimes ends up on eBay or second-hand office equipment suppliers.

As part of an investigation the News of the World bought a number of second-hand copiers, one of which contained data left over from its use by defence supplier Cobham.

With the assistance of experts, the paper was able to recover documents and faxes including an April purchase order from aerospace giant BAE Systems and NATO briefing notes. It also found a direct debit instruction that gave away the details of one of the firm's bank accounts, along with an authorised signature and the personal details of one worker from a vetting request.

The Canon machine was bought for £411.25 from JKBM.com of Ashford, Kent, a reseller of second-hand office machinery and copiers, who exports much of the equipment that passes through its hands, especially to Nigeria and Ghana. The IR3100CN copier came with a 40GB hard drive.

The NotW passed on details of its find to privacy watchdogs at the Information Commissioner's Office.

Cobham told the NotW that it intended to change its equipment disposal procedures in the wake of the incident. "We take data privacy very seriously and have rigorous procedures," he said. "We are taking all necessary steps to recover the equipment and its data and ensure there's no recurrence."

Independent security experts said the photocopier data disclosure risk has existed for about eight years, but was poorly understood even today.

"Since about 2002 commercial copiers are built with hard drives for purposes of networking and multitasking," said Robert Siciliano, a security consultant at net security firm McAfee. "Organisations who upgrade their hardware are most often unaware of this fact.

"Once sold/donated/refurbished the data is up for grabs. Copiers need to fall under the same categories as computers and mobiles as devices that require compliance to security standards when reselling or disposing."

Harlan Simpson, director of data recovery firm Disklabs, explained that the majority of firms ignore the risk when it comes to getting rid of outdated kit.

"People are simply ignorant to the data stored on photocopiers - they just don't even realise that it's just data stored on a hard disk - the same as in their computers," Simpson explained.

"Because of this, it's treated like an old piece of hardware, not like the storage device it actually is. It's exactly the same with most fax machines."

"People have to learn which devices store data. Photocopiers, faxes, scanners, phones, computers, laptops, BlackBerrys, PDAs... all are potential data vulnerabilities."

While the risk involved in mobile phone are better understood, office kit disposal threat awareness is still in the 1990s, he added.

"We are all aware of the potential for data loss from BlackBerrys and memory sticks which has been frequently reported in the national press over the last few years. Disposing of a photocopier, fax machine, scanner, phone etc, in certain circumstances, can be no different to leaving a laptop or BlackBerry on a train or in a taxi.

"Everyone knows the risk with losing their laptops, few consider disposing of photocopiers in the same way. In some instances, we have even found the hard copies of documents left in the photocopiers."

Andrew Goodwill, a director at credit card fraud prevention firm 3rd Man, said that most of the copiers for sale through eBay are made available by second-hand firms. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.