A while back, CBS News ran an “exposé” on the security risks of digital copiers. I answered a few emails but quickly let it drop. Apparently, this story is being run around the internet again, though, so let’s take a few minutes to formally debunk it.
One version of the scare article can be found here. The story goes that digital copiers contain hard-drives and the hard-drives store copies of all the documents being copied. When the copier is sold or thrown away, all the documents copied on it are visible to any hacker and the information on it can be used for identity theft.
Like any good urban legend, there is a kernel of truth to the story but the dangers are overstated. Let’s take the elements in turn:
- Digital copiers contain hard-drives – True.
- The hard-drive keeps a copy of the documents being copied – True.
- The hard-drive keeps copies of all the documents copied – False. The scanned images are big and the copier hard-drives are as small as the manufacturer can feasibly make them. They have to be to control costs. So, yes there are images on the hard-drive but they get overwritten on a regular basis. A high-use copier might have documents a few days old but not much older.
- The images remain visible to the new owner of the copier – Maybe. If your company’s IT department is even half-way on the ball, they keep track of copiers so they can keep the operating system patched. They will also have a decommissioning process that wipes the hard-drive before selling, donating or throwing it away.
So the lessons from this story are:
- If your company does not keep copiers on their IT asset list, they should. (Though they should primarily because of the risk of an unpatched OS.)
- If you don’t have an IT shop, run a few dozen pages of non-sensitive garbage through your copier before you sell it or throw it away. Pages from the phone book or pictures of your cat would do. Anything to fill up the drive and overwrite the older files.
Unless you are protecting DoD nuclear secrets, I wouldn’t worry more than that about copiers.
Update: This post got picked up by CFO Magazine as part of their Risk Management series. You can read their article here.
Note: For best results with the “poor man’s disk wipe”, set your copier to it’s highest resolution, in color, and run a stack of stuff through as fast as the copier will take it. It still won’t stop a hacker with a forensics lab but it will frustrate the 13 year old who pulls the drive out of the trash.