Blog Entries

Your office photocopiers can now be added to the list of items that can leak personal data. Recent personal data losses across the nation have been attributed to employees mishandling or purposefully removing hard drives located in multi-function printers (often called MFPs) for the purposes of exploiting the information that is digitally held by the memory devices inside them.

The security issue pertains only to higher-end MFPs that digitally store copied or scanned images temporarily or on a short-term basis. These MFPs usually contain small hard drives that can be removed and accessed by virtually anyone who has a computer and a hard drive data cord. The problem is so significant that a major copier company issued a security advisory warning that the hard drives on many photocopiers can store scanned documents.

So how easy is it to obtain information or documents from these machines? I decided to do a little test of my own by going to the local Kinko’s, since our office copier lacks anything “high-end.” (That is another story.) I found a higher-end digital copier machine that had scanning capabilities. My intention was to ask a Kinko’s employee if the machines had hard drives embedded within their skeleton; however, I came across something that captured my interest. I discovered that the machine had a “recall” option where the last three items copied or scanned were still made available! I chose one of the three, and the MFP started printing out 10 copies of what appeared to be a confidential presentation from a local company that was proposing the acquisition of a large, publicly traded company. I later checked secondary research and open-source news and investor sites and discovered that the notion of a merger or acquisition with the company in question was not even being considered, much less publicly released. This could have caused a real issue for the company involved if a “get-rich quick” trader had leveraged this information in the stock market.

I then asked one of the Kinko’s employees about the hard drives allegedly installed in these machines. The employee kindly told me that these copy machines were “top-of-the-line digital MFPs…each containing 1 GB [Gigabyte] of hard drive space for storage.” When I asked how this information could be accessed, she told me that the hard drives are “easily removable” from the machines. I then inquired about how this might place personal or corporate information at risk, and I was surprised by the response I received from her: “That is definitely an issue [internal MFP hard drives], but what gets me the most is when people come in here [to Kinko’s] from area businesses and photocopy and print dozens of copies of confidential and non-public materials and then just leave extra copies laying around. I am always picking up off the printers or copiers copies of presentations marked ‘confidential,’ ‘do not distribute,’ or ‘internal company information – not for external distribution,’” the employee told me. She further told me: “And, it must be common knowledge that documents get left at a Kinko’s, because there was a guy who came in here each week and collected presentations and extra copies left on the printers or scanners. After about the fourth or fifth day, I asked him what he was doing and he told me that he worked for [name omitted – the company is a competitor of a Fortune 500 company in the area]. He was hired as the company’s competitive intelligence manager and one of the first places he goes to get his information is the Kinko’s closest to the competitor’s facility.” My jaw nearly dropped.

While I remain extremely concerned about the issue of security with digital copy machines, I am also concerned that companies are actually lurking at Kinko’s shops for competitor information. So, let this be a lesson: not only are digital copy machines not secure, it appears that employees who lack common sense are making the local copy shop a source of competitive intelligence!

This is an example of why company employees need basic awareness training about information security. Leaving confidential documents behind in public places is 100% sheer laziness. According to the Kinko’s store manager of the location I visited, “Every Kinko’s has secure shredder boxes for customers to use. We make sure that any piece of paper that goes into that box is shredded and unable to be used by a would-be identity thief or corporate intelligence agent.”

Investing in basic employee awareness training is a must to increasing awareness about confidential document security. But this story is also a good reminder that annual audits of your company’s risk level for information loss can help prevent embarrassing incidents of personal customer data loss or confidential company document loss. Understanding that office equipment and devices that hold information – either temporarily or for long periods of time – can be accidentally or intentionally transferred to criminals who wish to make a quick buck by directly using or selling this information is key to raising that awareness.