Warehouse full of digital copiers yields truckloads of secrets

library
crime | hacking | security

Photocopiers: Ever wonder what the person before you copied? And no, we’re not talking about body parts.

We’re talking birth certificates, bank records, driver licenses, customers’ credit cards, income tax forms and other valuable personal information: a jackpot for identity thieves.

It’s unfortunately not hard at all to get your hands on whatever the person before you copied: as the Federal Trade Commission (FTC) has been warning us for years, as at least one copier vendor has trotted out Christian Slater to do a Mr. Robot scary-hacker video about, and as copier-focused security outfits keep reminding us, most machines made since 2002 have hard drives.

Those hard drives contain copies of everything the machines print, copy, scan, fax or email. Unfortunately, few businesses take advantage of data security features the manufacturers may offer – such as encryption or file wiping – either as standard, or at an additional cost for an add-on kit.

That was made clear in February, when CBS Evening News visited a New Jersey warehouse full of used copy machines.

As the FTC has advised, digital copiers are often leased, returned, and then leased again or sold. Apparently, not many businesses bother to wipe their hard drives when they acquire or return the machines.

In February, CBS’s Armen Keteyian and John Juntunen – who runs a company called Digital Copier Security that sells software to scrub data off copier hard drives – picked up four machines at about $300 each.

Keteyian:

Almost every one of them holds a secret.

The content of the hard drives are one thing. Some of the machines were passed along with documents still on their copier glass: no forensics software required.

Within 30 minutes, the hard drives were pulled. In less than 12 hours, a free forensic program downloaded tens of thousands of documents.

The results included:

Detailed domestic violence complaints and a list of wanted sex offenders from Buffalo, New York, police department’s copier.
A list of targets in a major drug raid from a second machine from the Buffalo Police: this one from the Narcotics Unit.
A New York construction company’s machine yielded design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and taxpayer IDs; and $40,000 in copied checks.
300 pages of individual medical records that came from a machine from Affinity Health Plan – a New York insurance company – that emerged when they hit “print.”

Keteyian, writing about the medical records:

They included everything from drug prescriptions, to blood test results, to a cancer diagnosis.

As Keteyian notes, that’s a “potentially serious breach of federal privacy law”: specifically, a violation (or, one assumes, 300 violations?) of the Health Insurance Portability and Accountability Act (HIPAA).

The Buffalo Police Department and the New York construction company declined to comment on the story. Affinity Health Plan issued a statement that said, in part:

We are taking the necessary steps to ensure that none of our customers’ personal information remains on other previously leased copiers, and that no personal information will be released inadvertently in the future.

Of course, copiers can be dangerous in other ways besides storing sensitive materials on their hard drives. We’ve seen…

Crooks who spammed out an attack posing as emails from Hewlett-Packard ScanJet printers in 2013.
Ditto in 2012.
Actually, ditto-ditto in 2012.

The FTC has a slew of tips on how to ensure that photocopiers’ hard drives don’t give away your secrets.

The TL;DR: treat your copier as you would a computer – because that’s what it is. Typically, it’s an internet-enabled, network-trusted computer, with all the inherent dangers that entails.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RVvF1FLqAXs/

Comments are closed.