DATA LEAKAGE a la Digital Copy Machine

Thursday, May 06, 2010

David Jordan


Why spend time attempting to HACK an enterprise network when the wanted data is rolling out the door of the target facility each time a copier is replaced! 

Dumpster diving has gone digital and for the most part been replaced with hi-tech copiers that contain perhaps years of pristine copies of images and documents.   

It has been fifty years since the copy machine was invented.  During that time the technology has changed significantly.

The mechanical wonders that once used kerosene and chain drive squeegee rollers to mass produce wet-paper copies are long gone. It’s a digital copier these days that falls into a gray area between Classification of Documents and Enterprise Cyber Security.  As technology in the copy machine industry has evolved many of these systems now contain large hard drives which retain full and complete images of each and every copy made on the system.

Get ready for the next revolution in copier when these machines will produce a DVD of the stored data contents.

Since around 2002 most all digital copiers manufactured utilize a hard drive for copied image storage.  Every document copied, scanned, or emailed is retained on the hard drive as the “image of record”.

Additional copies are sourced from the stored data image, not the original hard copy.  Some machines are networked others are not. 

A recent CBS news story illuminated the data leakage concern and points out many of the worst case data leakage scenarios associated with the use of digital copy machines that do not encrypt and overwrite stored images. 

If you aren’t aware of this concern you’ll want to view this video.  Go here:

A few suggestions to help manage the copy machine data leakage risk:

  • Have your procurement office ensure copier lease or purchase contract language specify that copier hard drives utilize encryption and overwrite protection techniques.
  • Have procurement ensure copier lease or purchase contract language specify a disposal process for copiers with hard drives that requires the removal of hard drives (for destruction) when copiers are removed, replaced surplused or swapped-out under lease.
  • Amend existing cyber security training and education materials to include the potential for data leakage from digital copy machines.
  • Amend existing annual risk assessment procedures to include digital copy machine data storage encryption certification.
Possibly Related Articles:
Enterprise Security
Data Leakage Social Engineering
Post Rating I Like this!
David Jordan XEROX encrypts their copier products hard drives and doesn't charge extra for it.
Ray Tan Yeah, this is a way to get the information you are interested. However, it is hard to access it physically unless you happen to be familiar with social engineering.
We need to pay more attention to it and enhance the control on it.
Thank you.
Eric Bos Copier vendors have solutions for this, both overwriting hard drives and removable hard drives. The issue is also about discarded PC:s, I normally erase their hard drives on a powerful electromagnet.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.