Posted on 05/23/2010 4:26:55 PM PDT by MamaDearest
(CBS) A CBS News investigation last month found that nearly every digital copier built after 2002 stores an image of documents copied, scanned or emailed by the machine on hard drives.
CBS News chief investigative correspondent Armen Keteyian reports parents and students at Dos Palos High School in Sacramento found out the hard way recently, when CBS affiliate KOVR pulled hundreds of student names, home addresses, cell phone and social security numbers off the hard drive of an old school copier.
"The fact that information that we treat very, very carefully somehow got out of our system and is out there is a huge concern to us," said Brian Walker, Dos Palos school district superintendent.
Massachusetts Congressman Ed Markey is of the same mind. Citing our report, he called for an investigation by the Federal Trade Commission -- concerned most Americans don't know their information can be compromised.
"We have to do a lot more to insure that the public and corporations know this," Rep. Markey said, "and that absolute security is applied to copy machines across our country."
Our investigation last month revealed how easy it is to buy used copiers at a warehouse and remove the hard drive packed with personal data.
Using software available free on the Internet, our expert, John Juntunen of Digitial Copier Security, downloaded thousands of documents in less than 12 hours.
From the Buffalo Police Department we found lists of domestic violence complaints, and targets in a major drug raid.
From a New York construction company, we found 95 pages of pay stubs with names, addresses and social security numbers.
And from a health care company, we found hundreds of pages of personal medical records. As a result of our story, Affinity Health was required to notify more than 400,000 people of a potential breach of their privacy.
"I think the copy machine industry has to step up, provide the leadership and technology that insures this information is scrubbed from copy machines," Rep. Markey said.
Now the Federal Trade Commission has jumped onboard, looking for ways to better protect the public from a simple office copier that we now know can leave behind a digital trail of secrets.
Why?
One fundamental confusion in See BS’s story is that they bought and examined multi-function office machines, i.e. dual copier/fax machines. The fax function saves copies of faxes, just as does the software that comes with many home office fax machines that are attached to PCs. Failing to purge those copies before relinquishing a fax machine is as stupid and culpable of the user failing to purge a PC before relinquishing it. “Pure” copiers normally don’t store anything in recoverable format.
There are hard drives inside copiers? I thought the bits for each copy were stored in RAM.
I’m wrong?
stupid and culpable of => stupid and culpable AS
social security documents, birth certificates, butts...
“It was only a paper moon...”
Years ago I bought a roll of ink/film for my cheapo fax maching from Office Depot... it was supposed to be new, but it had been used. I unrolled the film and there were impressions of legal documents on it... it apparantly had been used by some law firm before me and somehow got repackaged and sold as new.
Most modern day copies have their own operating systems (Windows) and GUI interfaces that must be stored on a hard drive. Also, since a lot of them do “copy to pdf” conversion with email capability they are hooked up to company’s network servers.
I never thought of it, but it is kinda scary. Every time ours broke the tech could have came and replaced the hard drive and we would not have thought anything about it. Of course all of our customers personal information was copied to pdf for digital storage on our network drive.
Security agencies fought to have such data retained as long as possible. And to have the companies that make these devices keep the facts out of the public’s notice.
They also got printer manufacturers to add identifiable marks to what they print so the printer that made it can be identified just from the printed document.
They also got printer and copier manufacturers to install software that makes copying currency difficult.
They also have got manufacturers of various devices to store records of some file names, data, ?? into flash memory inside various chips within the devices. It takes a coded sequence of data for the chips to then spit out the data...in case ‘someone’ needs it some day.
Many of these machines are very high tech combo printer and copiers that are just plugged into the network. They are essentially a computer and use hard drives to spool the printing and copy jobs.
The ones in my old office could scan and email, copy and print. You could start scanning your copy jobs and the machine would print the copies once any print jobs were finished.
It had never occurred to me that the machine would just store everything. This is a huge liability for companies with data privacy requirements.
We recently threw out a pair of old computers: since we’ve five between the two of us, there wasn’t much point in they’re taking up room.
All of the data on the hard drives had been duplicated on the currents, so I (not so) carefully removed them.
Then they got around four rounds (each) of 5.56 from around three yards, and were discarded in a separate trash flow.
I’m not real worried that that data will be “reclaimed”.
now that’s redneck trouble “shooting”
freaky-deaky
Many companies rent the Kyoceras for all their facilities so every few years they get replaced with the next models.
I thought the same thing. You should watch the video story. Quite shocking. There is a regular hard drive in there and it saves everything!
In the story, an insurance company copier the reporter looked at had everyone's medical records, showing some serious conditions.
Very serious problem.
I have been a copier tech for more than 25 years. The thing is that nearly all “copiers” these days are multi functonal. Every copier that can scan once and print many has a hard drive, and yes image data can be recovered with the right software. There are also image servers and RIP’S (raster image processors) these all have HDD’s.
This article is annoying to me as I have worked with many accounts who insist the HD be formatted by their IT dept. before the machine leaves their office at the end of the lease, now there are bound to be more. Also encryption kits and HDD data erase kits are a pain to install and de-install. :(
I knew that my MFC stored faxes, because if you had ten pages to fax, it would store all ten into memory before dialing. And, if it dialed and there was no response, it would wait a while, I think about 15 minutes, and then try again.
What I didn’t know, and I don’t think the instructions say, is how to purge the old records from memory when you no longer need them.
People still use fax machines?
The story did not spell it out, but medical insurance companies don’t get nearly as much actual paperwork as they do faxes. It sounds like a fax machine that kept copies of incoming faxes (from doctors’ offices sending in claims). The insurance offices probably didn’t even try to purge the copies before returning the fax machines.
I would think a lot of congressfolks and their staffers are extremely worried.
Are you kidding, yes.
“Pure copiers” are rare animals these days, especially in office environments. And figuring out how to “purge” any of these machines requires advanced training and/or lots of time to figure out. And the person most likely to know how to do the purging won’t be an employee of the company that uses the machine, but the repair guy, who’s an easy mark for corporate spying operators to pay off to copy data while he’s servicing the machines.
When I used to work for a large financial institution, which had major liability risk (including criminal liability) for failure to secure potentially market-moving client information, we had wildly complicated copier/printer/emailer machines on every floor (and several different models). All of them were prone to failing to print a document sent to them, based on some obscure setting they perceived in the document (which in some cases was confirmed by IT and copier company experts to not really exist). For example, you’d send a debt offering term sheet to the machine, go over to get it, and find that the machine was claiming it couldn’t print because it required “buff paper” (I kid you not!). But because of intervening print jobs sent to the same machine, often people had no idea why their job hadn’t printed, or whether some silly message like “job requires buff paper” applied to their job or somebody else’s. So naturally they’d re-send it. All to often, the result was that hours later, somebody else trying to make the copier/printer do what it was supposed to, would hit some button that convinced it to override one of these imagined obstacles, and suddenly an unexpected document would come pouring out (in some cases long after the person who sent it had gone home).
I tried to point out the potential seriousness of this unintentional data retention and regurgitation to the Legal & Compliance officers, who sounded concerned, but ultimately did nothing because they didn’t really understand the details.
There is no earthly reason for copiers/printers to have the capacity to store thousands of documents for extended periods of time. It should require a special concerted action to get a document saved on the machine. Few people ever need to program a job to be done at some later time, and those few people should learn how to take an extra step to accomplish that, and there should be a default setting that limits even an actively chosen retention to 24 hours, and requiring yet another concerted action to override and extend that time period.
By the way, I don’t think most companies and government offices are using these machines for faxing. At least the companies I’m aware of have almost entirely abandoned faxing in favor of e-mail, and for the rare faxing they do, use either a free-standing fax machine or PC-based software.
Can you blame your customers, even if the result is a bricked copier?
I find fax machines to be obsolete....We never use them anymore....
The story I saw said the machines were also fax machines and that it stored the fax documents. You are correct.
Inter-entity business communications are typically faxed because that provides a built-in way of proving what was sent and when, as well as a greater measure of privacy in the transmission. (Would you rather share something confidential in a land line phone call or in an email?)
Do you deal with banks?
Duh.
Your going to fax it so the poor slob at the other end can have 150 pages of pulp after fixing the jams?
Just fast scan it and email...No paper....
Works great.
lol
http://www.youtube.com/watch?v=y01xLquSIrc
CBS News: Copy Machines, a Security Risk?
i got this in an email a week or 2 ago. Spooky.
If you habitually send out book length documents, the internet makes more sense, but the fax remains king for short legally important documents.
Incidentally, the few times I faxed out a hundred or so pages (to a lawyer) they arrived just fine. Now you’re asking the “poor slob” to fix the jams on his printer after printing out his attachment, so there is no net gain.
“Can you blame your customers, even if the result is a bricked copier?”
No, Most of them are Government, medical and Hi tech R&D types. Even if the HD is formatted it can always be re-loaded. It is just more work.
You can’t sign many digital documents yet.
But for more security they gave us a.
But we asked for a ..
“Even if the HD is formatted it can always be re-loaded. “
what does that mean?
I prefer the Model 20
E-mail is what is normally used for the most sensitive information. It’s too easy for unintended recipients to pick up something coming off a fax machine, and very impractical in today’s business and government environment to go through the routine of calling somebody just before sending out a sensitive document to make sure they’d be right by their fax to pick it up. And if something is sent out via a fax machine that wasn’t supposed to be (or to a party it wasn’t supposed to be sent to), it’s often impossible to trace who actually sent it — all you can trace is what machine it was sent from, which is often shared by a large department.
Most major financial transactions that are legally required to control access to information due to potential for criminal abuse of the information, use the Interlinks system (which includes e-mail) to transmit important documents such as term sheets, offering memoranda, draft and final legal documentation for the transaction, etc. Most of the institutions doing this kind of business have internal policies specifically prohibiting the use of fax transmission for this type of thing, or have such onerous record-keeping requirements for fax transmissions that nobody faxes if they can possibly avoid it. Typical is a requirement for fax transmissions to be signed off on in advance by a unit head, with a paper copy kept including confirmation print-out and unit head’s signature, to be maintained in a binder for X years, to be kept in a file cabinet which must be locked at all times that it’s not attended by authorized staff, etc. It’s the legal department’s way of sending the loud message “Don’t Use Fax — It’s Not Secure”.
E-mail also allows for centralized surveillance of what’s going out from sensitive areas of a company or government agency, or from the accounts of specific employees who may be suspected of inappropriate activities, or from files stored in sensitive directories and sub-directories.
I’m a long time copier tech, and some of this is true and some is way overblown. Our new policy makes the whole thing moot-when we pick up a used machine, the customer gets the hard drive or drives on request. The drives can be formatted on normal computers or otherwise “decommisioned” as needed.
This doesn’t solve the problem of a used machine ending up in a state surplus sale. The feds get copiers with removable hard drives, a hard case and a set of keys. Don’t fire the guy with the key without getting it back, we don’t have copies of the keys and can’t get it back for you.
Years ago, used typewriter ribbons were considered extremely valuable for data mining.
And used carbon paper.
The more things change, the more they stay the same.
(How do you copy your butt with carbon paper, anyway?)
Not having a fax dedicated to a small team dealing with the outside world interface of private data is a mistake in itself.
As you have inadvertently highlighted, email has its own pitfalls. If it can be screened it can also be diverted.
Paper is old and obsolete...Takes warehouses for storage, ya have to pay pepple to move it around, it's heavy, bulky, and it's a waste of resources and energy...
Fax machines are dying out just like the buggy whip...
Ya heard it here first.
Now, now, I've never blown my nose, wiped my mouth, or cleaned my rear on a CRT. Also, paper moons just aren't the same when virtual.
Yes, when a signature is required.
Well then, you'll still have a use for paper in the future.
When finished you can toss it in the trash along with that obsolete fax machine.
Are you kidding, the EPA forbids me to throw the fax machine in the trash. Electronic waste.
Companies and individuals started going paperless years ago...With this economy, you can expect that to ramp up considerably in the future.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.