by Ondrej Krehel

Earlier this year CBS News brought national attention to an interesting potential source of identity crimes—digital copy machines. Since 2002 nearly all large copy machines store images to an eternal hard drive, essentially saving to disk whatever paper is placed on the glass and copied.

CBS News bought four copiers and with free recovery software pulled volumes of documents off their hard drives, including documents from the Buffalo Police Department’s sex crimes division and thousands of medical files from a New York healthcare provider. The latter had to contact three government agencies and 400,000 clients to report the potential HIPAA violation. Many of the copiers were actually sold overseas, primarily to developing countries, before the data in them was properly scrambled.

Since the report, New Jersey has considered a law mandating erasure of digital copy machine drives, but it has yet to be passed. As it stands, despite this obvious potential goldmine for identity thieves, there is no law or mandatory safeguard to stop the buying of used copy machines for stored personal information. Until that changes, the onus on protecting your identity when it comes to digital copiers is solely on you.

The first step is awareness. If possible, avoid making copies of sensitive documents, such as Social Security cards, tax records, medical documents or police reports on copiers where you can’t verify that security measures are in place. If you must, avoid using a public copier like the one down at the corner store. (This issue does not affect big players, such as FedEx Office, which have a different setup and delete user data.)

Use your home or office copier and make sure you know how to wipe or remove the hard drive or flash memory if the machine is ever sold or thrown away. Ask your businesses IT staff if they enabled security features such as image overwrite after copying and printing, data encryption, full disk encryption and limited queue of stored documents for reprint.  Ask them specifically how the corporate and your personal data are secured.

For your home machine, a little Internet research will go a long way—try Googling the name and model number of your machine plus “hard drive.” Go to the copier vendor site and review the specifications. Call them if you are unsure.

If you must use a small store, ask the clerk about their erasure policy. Most newer copy machines have a way to easily clean the hard drive. Don’t hesitate to ask the clerk to show you how they sanitize data. Yes, they might be a little irritated, but it sure beats the alternative.

Ondrej Krehel, Chief Information Security Officer, Identity Theft 911

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Leave a Reply