Office equipment like digital photocopiers contain hard drives which can be a potential target for data theft, especially if the machinery is resold after it’s been used. The equipment stores information from documents that have been scanned or copied.
At a warehouse in New Jersey, 6,000 used copy machines sit ready to be sold. CBS News chief investigative correspondent Armen Keteyian reports almost every one of them holds a secret.
Nearly every digital copier built since 2002 contains a hard drive - like the one on your personal computer - storing an image of every document copied, scanned, or emailed by the machine.
In the process, it's turned an office staple into a digital time-bomb packed with highly-personal or sensitive data.
If you're in the identity theft business it seems this would be a pot of gold.
"The type of information we see on these machines with the social security numbers, birth certificates, bank records, income tax forms," John Juntunen said, "that information would be very valuable."
untunen's Sacramento-based company Digital Copier Security developed software called "INFOSWEEP" that can scrub all the data on hard drives. He's been trying to warn people about the potential risk - with no luck.
"Nobody wants to step up and say, 'we see the problem, and we need to solve it,'" Juntunen said.
This past February, CBS News went with Juntunen to a warehouse in New Jersey, one of 25 across the country, to see how hard it would be to buy a used copier loaded with documents. It turns out ... it's pretty easy.
Juntunen picked four machines based on price and the number of pages printed. In less than two hours his selections were packed and loaded onto a truck. The cost? About $300 each.
Until we unpacked and plugged them in, we had no idea where the copiers came from or what we'd find.
We didn't even have to wait for the first one to warm up. One of the copiers had documents still on the copier glass, from the Buffalo, N.Y., Police Sex Crimes Division.
It took Juntunen just 30 minutes to pull the hard drives out of the copiers. Then, using a forensic software program available for free on the Internet, he ran a scan - downloading tens of thousands of documents in less than 12 hours.
The results were stunning: from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders. On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.
The third machine, from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.
But it wasn't until hitting "print" on the fourth machine - from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.
"You're talking about potentially ruining someone's life," said Ira Winkler. "Where they could suffer serious social repercussions."
Winkler is a former analyst for the National Security Agency and a leading expert on digital security.
"You have to take some basic responsibility and know that these copiers are actually computers that need to be cleaned up," Winkler said.
The Buffalo Police Department and the New York construction company declined comment on our story. As for Affinity Health Plan, they issued a statement that said, in part, "we are taking the necessary steps to ensure that none of our customers' personal information remains on other previously leased copiers, and that no personal information will be released inadvertently in the future."
Ed McLaughlin is President of Sharp Imaging, the digital copier company.
"Has the industry failed, in your mind, to inform the general public of the potential risks involved with a copier?" Keteyian asked.
"Yes, in general, the industry has failed," McLaughlin said.
In 2008, Sharp commissioned a survey on copier security that found 60 percent of Americans "don't know" that copiers store images on a hard drive. Sharp tried to warn consumers about the simple act of copying.
"It's falling on deaf ears," McLaughlin said. "Or people don't feel it's important, or 'we'll take care of it later.'"
All the major manufacturers told us they offer security or encryption packages on their products. One product from Sharp automatically erases an image from the hard drive. It costs $500.
But evidence keeps piling up in warehouses that many businesses are unwilling to pay for such protection, and that the average American is completely unaware of the dangers posed by digital copiers.
The day we visited the New Jersey warehouse, two shipping containers packed with used copiers were headed overseas - loaded with secrets on their way to unknown buyers in Argentina and Singapore.
So should government agencies be worried about sensitive data being exposed via discarded office equipment ?
In an interview with Government Technology, Vince Jannelli, director of product management partners within Sharp Imaging and Information Company of America, said storage devices in government offices may pose security risks.
What types of equipment in government offices face security risks and other vulnerabilities?
I would say as a whole that any network device introduces vulnerability because it sits on the network and so it needs to behave like a good citizen. This is also true for any device that has storage. So you have laptops, computers as well as things like thumb drives, which many government entities disable. Also included in this list of devices would be digital copiers and multi-function printers.
Most of the devices that are out there today are digital because there’s a lot of benefits. I could do a lot of different things and that’s because of the use of storage in the hard drive.
What risks does equipment pose and what risks do users face?
First you would need to think of not only where the equipment sits on the network but what the device being used for. And so any network device could contain some confidential or protected information. Some devices by nature, their location and who uses them are more likely to expose confidential information. The first thing to do to mitigate risk is to think about how do you secure the data that is accessed at the device? One of the most important safeguards is to make sure the data is encrypted as it’s stored on the device. When I store something on my hard drive I encrypt it. If someone stole my laptop but didn’t have my password, then if they took the hard drive out of my laptop and then put it into another device so they could read it, they couldn’t; they’d have to decrypt it. And that requires a certain level of talent. If I didn’t encrypt it, then somebody could steal my laptop. If they couldn’t log in, all they would have to do is take out the hard drive and plug it into an external drive and dock it to their PC and they could access all the data on it.
Within state and local governments, how severe of a problem are digital copiers to potential threats?
It depends on the entity. It was in Buffalo, New York where a printer was resold and it had records of people that were processed. The printer was sold by the Police Sex Crimes Division and so the victim’s personal information was on there. So in that kind of a case, what you’d want to do when you have really protected information is to overwrite every time that you scan a job — what I would call a persistent security mode. And that means that after every job, I would overwrite the data so there was no latent image data left on the device. If I’m in a government agency where I’m not using or copying or printing or scanning confidential information that much, then what I’d want to make sure is that at the time that my lease — because a copier, for instance, is typically leased — is over, I had a system in place to overwrite the hard drive of the device. It’s a process that the local government entity could either purchase through a local provider or it could be a feature that’s enabled on the product. It depends on the generation of the product itself.
Are state and local governments following these procedures?
I know there are several states that have legislation in place and by in place, I should say “on the floor,” discussion. They are looking to legislate that public entities actually do this — put a process in place.
Would you say that following these processes is something government agencies should do to better protect themselves?
Yes, I think regardless of the legislation, if the device has a hard drive, the agency should look at proper disposal methods which would include regularly overwriting the hard drive or, at minimum, overwriting at the end of the lease before it’s disposed of. But I would bet that most agencies do have a process in place where hard drives are either removed and destroyed or they hire a third party to make sure that they’re overwritten so that no sensitive information leaves the entity.
Government Technology | CBS News