Digital copier security risk

A used copier can be an identity thief’s pot of gold, and a designated security coordinator’s worst nightmare.   Did you know that almost every digital copier built since 2002 stores images of the documents it’s copied?  Most modern digital copiers have a hard drive to process the images of all documents copied, faxed, or e-mailed.  Copiers are commonly used for functions involving personal data including identification, social security numbers, tax forms, and medical records.   This allows for criminals to extract sensitive personal information from used copiers.

A recent CBS news report reveals how easy it is to pull data from used copiers.  They purchased four used copiers for $300 each from a warehouse in New Jersey, one of 25 like it in the country.  It only took them a moment to identify the first machine belonged to the Sex Crimes Division of the Buffalo City Police Department; they had left originals on the glass.  Within 30 minutes they removed the hard drives and began revealing thousands of copied images, using free software from the web. The first copier contained 249,000 copies and was used for finger prints, charges, and a list of targets in a drug raid.  The other copiers revealed social security numbers, copied checks, medical records, and building plans in Manhattan.  That same day two containers loaded with used copiers were being shipped to Argentina and Singapore.

According to a survey in 2008, 60% of Americans don’t know copiers store images on a hard drive.  Ira Winkler, a former NSA analyst, said, “You have to take some basic responsibility and know these copiers are actually computers that need to be cleaned up.”  In terms of MGL 93H and 201 CMR 17.00 compliance, this means digital copiers should be considered electronic systems and must be covered by WISP policies.  Furthermore, it is essential that copiers are properly decommissioned in light of this risk.  Stories like this make us feel good that Massachusetts is making sure businesses and organizations take personal information security seriously.


Leave a Reply

Your email address will not be published. Required fields are marked *