Printers

Police, medical records found on used copy machines

CBS News finds used copy machines loaded with sensitive data--police records, pay stubs, copied checks, and private medical documents.

Back in 2007, I wrote about the significant security risks posed by modern office copiers. Almost every copier made since 2002 contains a hard drive, which stores a copy of every document the machine scans, prints, copies, or faxes. And if you need proof of just how dangerous this stored information can be, check out the following video from CBS News.

Watch CBS News Videos Online

CBS News chief investigative correspondent Armen Keteyian talked about the threat with John Juntunen, who's company Digital Copier Security developed software designed to scrub data from copier hard drives. Juntunen and CBS News purchased four used copies from a New Jersey warehouse. Using data recovery software available for free on the internet, they were able to recover thousands of documents from the machines.

One of the machines had been used by the Buffalo, N.Y., Police Sex Crimes Division. The hard drive from it yielded "detailed domestic violence complaints and a list of wanted sex offenders." A second machine from the Buffalo Police Narcotics Unit, contained "targets in a major drug raid. " On the third machine, once used by a New York construction company, CBS News and Juntunen found "design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks."

But despite the sensitivity of the information discovered on the first three machines, it was the information on the fourth machine that they found what Keteyian called the "most disturbing documents." The machine, once used by Affinity Health Plan, a New York insurance company, contained "300 pages of individual medical records."  These records included "everything from drug prescriptions, to blood test results, to a cancer diagnosis."

There are ways to wipe data from copy machine hard drives. But as this report shows, many organizations aren't making the effort, aren't aware of the risk, or aren't verifying that the data has been erased before decommissioning old copiers.

Check out the following links for more on this report from CBS News and a follow-up from the City of Buffalo, New York.

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

47 comments
Paul72959
Paul72959

Amazing. I never had anything to do with copiers except as a user, but I always assumed they had memory; how else could you print ten copies while scanning the original only once? But I would have thought it was volatile memory that would get wiped out when the job was done. Why design a copier that stores so many documents permanently? Never seen a copier that allows you to retrieve an old document (so you don't have to scan it again), so what is the reason? Do companies that buy these machines even know they're designed that way?

morav
morav

So, how do we erase the data from these hard drives? No one seems to be asking this obvious question.

NickNielsen
NickNielsen

I've seen pharmacy servers with thousands of prescription images left standing on the floor in the open, uncontrolled. I also don't think anything will be done about it until a high-profile HIPAA, Privacy Act, or identify theft case comes up where the data source was copiers.

bbb
bbb

Writer: Why do you believe that medical records are even more sensitive than SSNs, bank account info, and targets of police raids? The potential damage associated with these latter ones is quite tangible. There's too darn much paranoia about the 'privacy' of medical records!

raddler_2000
raddler_2000

i work for a copier company in georgia we wipe hard drives or give them to the companies so they can and install new hard drives when returned ! we have military and local police and sheriff's dept that we service ! also have insurance and hospitals in our system for service ! contact sradle@gadup.com or mbrown@gadup.com service manager !

jridge76
jridge76

My company de-installs communications and computer equipment. I have seen the stuff laying on the glass before. I guess they were in a hurry to leave. I got a whole bunch of computers from a big company with no IT department. It had their entire payroll on it with ssn numbers. This stuff happens all the time.

mousejn
mousejn

We pull the drives & Physically destroy the drive. High end printers can have hard drives in them.

Yugwen
Yugwen

Shocked? Why? If it touches data, wipe it or destory it before it leaves your control. Not a tough rule to make or follow. Why even let it out the door with your IP shceme? MFP devices no different. Why let your fax out the door with all your important numbers? If the device is DONE just destroy the HDs and wipe the memory you can't easily reach to physically destroy.

pjwvieviwdhy
pjwvieviwdhy

Why the hell are they charging $500 for software to remove docs. Everyone knows it doesn't cost that much to add that kind of program. You can d/l free erasers from the net. Installing them on a printer is another story, but still. If you have to shell out $500 extra dollars, I can see why some people would opt not to get it. I think that kind of function should be included as a standard feature...free of charge. Or at the least maybe an extra $20

GSG
GSG

I read this on another site, and until then never thought of a copier having a hard drive. Duh. All of our copier equipment is leased, and we have a Business Associates Agreement with that company. With the HITECH laws that went into affect, the copier company now becomes a "Covered Entity" and are bound by the same laws that we are in regards to privacy. So, ultimately, if the data got out after the copier was taken out of our service, technically the copier company is responsible for the breach and would have to answer to the Department of Health and Human services. In reality, we'd be crucified by the press, our customers, and by the dept of Health and Human Services. So, we'll be addressing this with the copier company, and I'll be writing yet another HIPAA security policy, this time to cover the copiers. We degauss all hard drives and then require a certificate of destruction from the destruction center. It may be that we will have to require a COD or something similar from the copier vendor.

Deadly Ernest
Deadly Ernest

people did NOT know the copies were stored on the hard drive before copying. Although we use older systems, cheapskate organisations, the few newer ones that I've used I knew had memory, but thought they had RAM memory as if the machine went down for more than a few seconds, the copy was lost. This is NOT something that the copy machine makers makes a point of letting the end users know. It's information that can be very helpful in a number of police investigations as well. Check what was copied on the drive for evidence of the fraud, etc.

Bill Detwiler
Bill Detwiler

In the TR Dojo blog post tied to this discussion thread, I share the shocking results of a CBS News investigation, which discovered thousands of sensitive documents (police records, pay stubs, copied checks, and private medical documents, and more) stored on used copiers. Original post, video, and poll: http://blogs.techrepublic.com.com/itdojo/?p=1700 Does your organizations wipe data from copier hard drives before decommissioning them? If so, how?

kerrymulder
kerrymulder

IT security is probably the highest concern of about 80% of our customers looking to sell a machine or those considering purchasing a 2nd hand machine.

HAL 9000
HAL 9000

It's to manipulate the scanned images after scanning that things like this are saved to a HDD. Say for arguments sake you scan in 50 pages which then you turn into a Booklet. In the past you would have to reorder the pages to the right numbers so that you could fit 2 onto one side of a copied page and then another two onto the back of that page. Making 4 Original Pages onto 1 Page. You could do this with a Analog Copier but it was more than a bit painful where as with a Digital Copier it's just a straight scan and then you program the copier to what you want done. Well you actually program the copier first before scanning but you get the idea. The HDD gets the data written to it and say you are making 999 copies as most Digital Copiers can not exceed this number it will just keep going till you run out of Toner, Paper or the out bin gets full. You then refill or remove as required and the system starts again. When it is finished the job goes and if you want to do it again you have to rescan the originals. The problem here is that with Data Recovery Software you can attack that HDD and recover the Images, not so much that you can trick the copier to reprint the images without rescanning. ;) Col

HAL 9000
HAL 9000

Have a Utility to delete the Drives. But if you are in a Sensitive Company or your copier doesn't you should Destroy the Drives before they leave the building. Col

ciakrook
ciakrook

Paranoia? Good grief! Having worked in health care in a large hospital - even an employee is able to pull the medical records of any present or past inpatient or outpatient. If you were a supervisor and could discover an applicant needed a knee replacement or organ transplant, had cancer and would be needing a lot of time off for treatment, or even pregnant, would you hire him/her in a permanent position with benefits? Be honest. These are questions that cannot be 'directly' asked in an interview, but have happened to supervisors and in many human resource departments as soon as, or turned up, the applicant is hired. Consider companies considering applications for disability, health and life insurance? Wow! Would they love to get this info before a company hires the employee. Having been a supervisor I can personally speak from experience to the first issue. Medical records need to be private....or you could pay an internet service to get "that" private info for you too. Oh! They would have a field day and be even wealthier with the medical info on these hard drives that they could sell to prospective employers -even to PI's or prospective mates.

scoopboys
scoopboys

It's a utility that overwrites EACH JOB once it is output - continuous overwrite. Most vendors provide the ability to securely wipe at EOL for free. If you want the continuous overwrite you need to pay (we use it on the one device that is accessible to the public, in case someone walked out with the HDD - as unlikely as that sounds). We've been requiring the EOL wiping for several years (2004?) since we discovered the devices had HDDs.

HAL 9000
HAL 9000

I have to wonder what Naughty things you have been doing to get a reaction like that. :^0 So can I have a look at your old traded in copier? :0 Col 0:-)

abb314
abb314

I wonder what other devices secretly have hard drives that will need secure wiping. Printers? Fax machines?

thewired1
thewired1

Copiers do have hard drives, but the only items saved are documents in the document server, fax receipts, and user box or mailbox settings. No copied or scanned items are saved to the hard drive except those directed to the Document Server boxes.

ssirvin
ssirvin

We don't wipe the drives, but we do shred them

user support
user support

Our organization does have a policy to remove hard drives from all devices. In the old days one of our staff would connect to the copier using a laptop to wipe the HDD. Currently the HDD is just pulled out and deguazed. For computers and laptops we use software that conforms to DOD standards and only deguaze if the software fails reocgnize the HDD. Higher end printers that can punch holes, staple, print on multiple types of paper from multiple trays at the same time and use job storage feature require HDD to enable those extra functions. Digital Copiers have the capability to be networked devices for copying, faxing, printing and scanning. Newer machines have a setting where you can specifiy whether you want the job to be save to the HDD. Address Books for using the email feature of these machines must be saved to the HDD. Make a backup as there is a disclaimer that the manufacturer is not reponsible for any damages resulting in data loss.

Sensor Guy
Sensor Guy

I have heard rumors that there is a ring that's operated for years inside a big Fortune 50 firm in the IT business with 3 letters that did take out, replace and read drives from copiers at the highest levels of the firm. They even inserted documents onto the drives that could be incriminating or misleading. As I heard it, they'd get an extra drive and replace it if they needed it for overnight analysis. If not, they'd just take it, dump the contents onto another machine and then return it. Most copiers have no physical barriers to entry to the disk, from what I heard. So the security problem is not just when you get rid of it, but it's also there as it's being operated. Many in the team have "branched out" to other firms. There is word on the street that the major Wall Street players' copiers had all been carefully copied and searched over the last 4 years.

ChewyBass1
ChewyBass1

Any contract we sign with our copier company has a clause we require that all hard drives are to be given to us prior to removal from our office. By the time these machines reach their end of life the hard drive is useless to them anyway and I've never had an issue with accepting this agreement. We wipe it using gutman wipe and 99 passes, or I have a drill bit that a few dozen holes will take care of the problem.

AV .
AV .

We always had Xerox copiers and the data on the hard disk is encrypted and overwritten, according to Xerox. On other copiers, supposedly, a customer has to request the drive be wiped. The company I work at is really concerned about this. I don't know if Xerox's assurance is enough without a signed document verifying your data has been erased. AV

mafergus
mafergus

Any device containing a hard drive has that device removed when it is decommissioned and if it can't be wiped then it gets the mil spec format (Hammer hits to the case)

Sensor Guy
Sensor Guy

you make sure the disk drive is secure while in production inside the building...

SkyNET32
SkyNET32

Medical records should be very private, as should SSN's etc...$500 is a lot to charge, just to keep the drive wiped, or overwritten.

RU7
RU7

To a doctor's office To the dmv To the police station been unknowingly investigated but not charged been arrested but found not guilty provided information about a criminal Made a copy of one of your financial document outside your home ...

Deadly Ernest
Deadly Ernest

I've used both and I've never known a straight copier to have a hard drive. I've used multi purpose devices which are copier / faxes and they have a memory, but since the scanned item shows as lost if the system is turned off, then it would appear to be a RAM memory and not a hard drive.

HAL 9000
HAL 9000

These are Digital Copiers and as such can do many things not possible on a Analog Copier. You can for instance feed in hundreds of Pages tell the system that you are using 2 of these pages per sheet and that you want to Duplex the copied Paper, then feed to the Finisher staple and fold the output. This is scanned to the HDD then sorted as required for the job that is being done. This happens with every scanned image which normal people read as Page Copied it first goes tot he HDD and then the printer. So just like any other HDD you can recover what is stored in the different Data Layers on the HDD. Col

robo_dev
robo_dev

Many Canon or Xerox devices store data on the drive..it's just a Linux server. For example if you scan to email, the pdf file gets written to the HDD before it's sent out. Xerox, Canon, and others have an optional 'image overwrite' feature that wipes this data instantly or on a scheduled (e.g. daily) basis. The image-overwrite feature, if enabled, can allow the device to meet the Common Criteria EAL-4 standard, meaning that you can safely let it leave the building without having to take a hammer to the device hard drive.

Sensor Guy
Sensor Guy

You may soil yourself afterwards

jemorris
jemorris

I have two Canon Imagerunners, one is between 3.5 - 4 years old and the other one is about 15 months. Plus we have 2 Toshiba machines that are just over 5 years old. All four of these machines are classified as Digital Copiers and that is their basic function. As Col noted you can purchase more options like printing, scanning, faxing and more turning them into a multifunction device. All of these machines came with hard drives and an option to upgrade to bigger ones. Canon made it a point to let us know that we had to follow a specific power off procedure if we actually wanted the machine to completely power down rather than using the "sleep" function or we risked corrupting the hard drive. Once right after a power outage the older one wouldn't boot up all the way and we had to call local support. The tech found the drive had some corruption and I'm guessing used some type of CMOS to reinitialize the drive. He said all he had to do was reinitialize it, he started the process and we stood there and chatted for a good while, I didn't see him connect anything to the copier, just use a special code while the machine was powering up to get into a service mode. The Toshiba copiers didn't come with the warning that the Canon ones did. On a side note the Canon copiers are the best quality "high speed" document scanners we have in the office.

LedLincoln
LedLincoln

With the latest couple of groups of Konica Bizhub multifunction machines that we leased, the hard drive was an optional accessory (which we took). My understanding was that the hard drive was only used for "User Boxes", which permits scanning batches of documents to the hard drive for later retrieval over the network. No doubt various manufacturers implement hard drive use in their various ways, but if there is one in the machine, it would be a good idea to wipe it before the machine leaves your premises.

HAL 9000
HAL 9000

But the Image Runner 3100 Series has a 80 GIG Hitachi HDD in it. I've had to replace a few of those drives and as Canon only supplies Hitachi Drives they get replaced with what failed to begin with. These things do not save things to the HDD as such they store scanned images and so on, on th HDD and when the power is removed you can not pickup where you left off. But because they do use that HDD to hold the images on if you attack the Drive with any Data Recovery Software you will recover what it has had written to it. Mind you I have a mate who works at Canon and is their Senior Tech here to give me advice about what is in these things. Also gives me the parts to fix the one that Mun uses because he knows that I can do it and save him time and effort. But I should mention that the Official Service Manual doesn't make any mention of the possibility of recovering Data off the HDD nor does the Standard Replacement Sheet for Secure Corporate/Government Offices. But to me it was just common sense to believe that you could forensically recover most if not all of what that unit has copied during it's life if the drive remains functional. On the up side they or at least the ones that I have used do not store Data in a Standard FAT, FAT 16, FAT 32, or NTFS Partition Canon uses a propriety Partition type or at least not a normal Computer Type Partition. Though that may have changed with the newer Digital Copiers. I haven't really had too much of a look see. But to me anything with a HDD in it needs to be treated the same as a Computer when it is decommissioned and I have recovered Scanned Images off the HDD in 1 machine using fairly standard Computer Recovery Software. These Digital Systems have their Own OS's in them and provided that the HDD keeps working just work. Kill the HDD and the system doesn't start but spits up a Canon Error Code for a failed HDD. Col

santeewelding
santeewelding

Did they end up in a landfill, or were they sold as surplus to the North Koreans?

Deadly Ernest
Deadly Ernest

telling people about the HDDs as I've been responsible for buying hundreds in the past and never once was the possibility of a HDD being in the copier or fax machine ever mentioned either in the brochure or the verbal discussions. Nothing in the tech specs about a HDD either - I'd have noticed.

Deadly Ernest
Deadly Ernest

so we can print to them from the network. even had one back in the early 1990s that worked as a a fax machine, copier, printer, and could push a fax out over the Ethernet from the fax. but, any faxes or print jobs in the memory cleared if the system was turned off. Even the latest ones I've used had the job memory cleared if powered down - thus, it appeared they worked with volatile memory (RAM) and not a HDD - thus my surprise to learn they have HDDs that store the work.

HAL 9000
HAL 9000

and all of these Scan the Image save to HDD and then do any changes as required. I think that the Image Runner Series was the first to work this way but I may be wrong on that count as I don't get heavily involved with Photocopiers. However these are true Multifunction Devices that can be used as Network Printers as well as Photocopiers and if the right accessories Are bought at the original point of sale or subsequently fitted they can also be used to send/receive Fax's. Just a 45K device that is slightly more expensive than the $120.00 Domestic Class Multi Function Printer that is sold to home owners to save desk space. I do work for several places with Image Runners and have just negotiated a Sale of a new one to replace a 5 year old 3100 which will be deliverd in the next few weeks. These things can besides enlarging/shrinking originals also be used to scan in multiple pages and then sort them to booklet form and add covers. To do this they save the entire scanned pages tot he HDD then manipulate the individual pages after they are scanned. Makes making Booklets so much easier as there is no sorting the pages to be in the right order that you had to do with the analog machines when you copied 2 X A4 Pages to 1 X A3 and then duplexed it. Not your concept of a copier I know as they have changed dramatically and in the process got far more functional, require less training to use and are more useful. They are no longer a stand alone device but a Network Printer come High End Fax Machine and Photocopier. Col

bitdoctor
bitdoctor

Why are you supposedly "techno-savvy" commenters saying, "This is what it does" "no this is what it does." It DEPENDS on the configuration! You can have most MFD's (Multi-function devices) configured to do EITHER "save to hd first" or "not." There's no one answer. Apparently, this was either configured by default or by the tech folks so that the copied and/or scanned images were saved to HD. So, no, not all jobs are stored "only in RAM." Different MFD's have different capabilities and settings. And recovery tools like 'rstudio' and others can easily pull back even the stuff that has been deleted with anything but a DoD-grade triple-zero wipe of the data. Sometimes RAM also may have a non-volatile buffer which holds some static data as well - isn't digital forensics fun? Since I have gotten involved in digital forensics, I have seen more things that I never realized were "set by default" or "configured out of ignorance of the repercussions OR the capabilities" than you would believe!

scoopboys
scoopboys

So, it is incorrect to assume that retrieval of data off of the hard drive is impossible unless using mailboxes, etc. We have tested it with our internal forensic investigators, who are able to retrieve data off of these drives.

thewired1
thewired1

The job you just described is stored in RAM not on the HDD.

AV .
AV .

Yes, I did soil myself after seeing that report. Xerox stands behind their claims though. Still, I'm going to test it myself. Have you ever audited Xerox and found what they say not to be true? AV