Serious Photocopier Security Risk
April 30, 2010

This news came out a couple months ago on one TV network, other TV networks just recently picking it up, as well as print media,  however doing a search on the net I found an article below, dated 2001, on this same subject.  Someone was on the ball back then.

Here is the article, from the August 31, 2001 issue of CRN.

IT Administrators May Be Overlooking Copier/Printer Security Risks

When it comes to securing corporate data, IT administrators may overlook the risks associated with digital copiers and printers.

According to a survey of more than 1,100 IT professionals recently sponsored by Sharp Electronics, nearly half said they did not believe copiers and printers have hard drives. Sixty-five percent said the machines presented little or no risk to data security.

“People have been focusing on antivirus software and firewalls and protecting workstations but not peripherals,” says Peter Cybuck, senior manager of product planning, marketing and program management at Sharp’s Document & Network Solutions Group.

The most common threats to digital copiers and printers stem from intruders stealing the hard drives containing confidential data, or reprinting documents directly from the machine after the earlier print command was canceled, according to Sharp, based here.

Today’s multifunctional copiers and printers store documents in memory, Cybuck says. “They might not just retain the last job, but the last 20 to 30,” he adds.

Sharp offers a Data Security Kit, through its dealers, that protects confidential documents processed by its digital copiers and printers by overwriting the data with random numbers.

Sharp, based here, recently announced that the kit won a Common Criteria certificate from the National Information Assurance Partnership (NIAP), a joint program of the National Security Agency and the National Institute of Standards and Technology. The Common Criteria program defines general concepts and principles of IT security evaluation.

While high-end copiers have the ability to store print jobs, the amount of storage is limited, compared with network storage, says Jim Kelton, president of Software Unlimited, an IT consulting company in Irvine, Calif.

Companies need to have a system in place to ensure they’re not disclosing confidential information when they discard the machine, he says.

In addition to its Data Security Kit, Sharp’s copier, scanner and printer products include a security feature that requires user authorization to prevent unauthorized viewing of documents sent to shared network printers.

Sharp also offers Windows NT server-based software that puts digital fingerprints on printed documents to determine the origin of final hard copy. The company recently added network interface controls to allow administrators to limit access to the machines.

Xerox (NYSE:XRX) also offers several security features on its digital copiers and printers. Hard drives on the machines are protected from unauthorized users by a strong encryption system, says Mark Burris, manager of product marketing for Xerox’s document center products.

And two years ago, the company addressed a need among its government accounts by providing the ability to remove the hard drive from the machines, he says.

“Security-conscious customers can physically remove those hard drives at the end of the day,” Burris says.

The company also recently unveiled new software that provides authenticated scanning.


Health Insurer Notifies More Than 409,000 Of Potential Breach

Sensitive medical records found on previously leased digital copier, company says

Apr 21, 2010

By Tim Wilson


Affinity Health Plan, a New York managed care service, is notifying more than 400,000 current and former customers employees that their personal data might have been leaked through the loss of an unerased digital copier hard drive.

According to a press release (PDF) quietly issued earlier this month, some personal records were found on the hard drive of a copier found in a New Jersey warehouse. The copier had previously been leased by Affinity and was then returned to the leasing company, the release states.

The disclosure follows the airing of a CBS News report that called attention to the practice of recycling or resale of copiers whose hard drives have not been properly erased.

The report showed the discovery of numerous medical records found on warehoused digital copiers. An executive at a company that makes hard-drive-erasure products used a free forensics tool to glean the data from one of the copiers in the CBS News report.

The CBS investigation also turned up sensitive data from other organizations, including personal information from a restaurant in the Phoenix area and criminal records information from a Buffalo-area police department.

Affinity Health Plan says it has not had a chance to review the data found on the copier, but in a news report, a spokesman said the figure of 409,262 notifications includes former and current employees, providers, applicants for jobs, members, and applicants for coverage.

Failure to properly dispose of medical records is a violation of New York privacy regulations and could carry fines or other sanctions.