Personal information scanned into certain digital photocopier hard drives can be easily tapped, according to a CBC News investigation probing the second-life of older machines that are re-sold or leased.
CBC purchased a used Canon Image Runner Color 3200 from a UPS franchise on Kijiji, an online classifieds website. The copier’s two hard drives were removed and plugged into a laptop, which revealed the units had not been wiped clean before being sold and shipped.
The drives were also sent to forensics experts at Digital Copier Security Inc. for further analysis. Experts called up more than 100 documents on one of the hard drives, said John Juntunen, chief operating officer of the California-based company.
Files included copies of income tax returns, health information gathered in a lab report, a driver’s license, a citizenship card and business documents.
While some documents are harder to retrieve than others — and require a full forensics search of the hard drives — others can be called up quickly and easily, Juntunen said.
“Sometimes it’s as easy as walking up to a machine, pushing a couple of buttons and pulling up documents that were stored on the hard drive,” he said.
He also noted there appeared to be no attempt to clear the drives before they were sold.
“The job logs were still intact, the IP addresses were still intact, so we saw no effort of cleaning the machine at all,” Juntunen said.
The only way to definitively protect against a security breach would be to destroy the hard drives, he said.
“You can’t run a program that will clear a hard drive to 100 per cent,” he said. “There’s still magnetic residue on the hard drive that is recoverable, although it would take a lot of time and a lot of money to be able to recover that information.”
Mail Boxes Etc. Canada, the franchiser of UPS stores in Canada, says its franchises were instructed in April to scrutinize photocopier security. Franchises that are leasing copy machines have been instructed to wipe the hard drives before returning them, said Steve Moorman, the company’s executive vice president of operations.
“The security and privacy of our customers’ information is a top priority for us,” Moorman said. “We focus on this because it’s important to us not only as franchise owners or individual franchisees.”
He also said in the company hasn’t had security breach in its 22-year company history.
No complaints filed with privacy watchdog
The scope of the potential security problem in Canada is largely unknown. The office of the privacy commissioner acknowledges the privacy issues related to photocopier disposal but notes the issue has not been dealt with in an audit. The office also said no related complaints have been filed.
Brian Bowman, a business lawyer specializing in privacy and technology matters in Winnipeg, says many companies have yet to understand the security risk that photocopiers pose.
“If it’s your organization that’s affected, and it’s confidential corporate information, or it’s information that’s supposed to be regulated by privacy legislation, you’ve got issues,” Bowman said. “I do think it’s a prolific problem, and it’s something that many, many organizations are just totally unaware, and need to pay attention to this.”
Identity theft in Canada continues to increase. In 2009, the Canadian Anti-Fraud Centre said it fielded identity fraud reports from 11,095 Canadian victims. Losses totaled more than $10 million, representing an increase of more than $1 million from the previous year.