[Dataloss] Electronic Copiers Now Potential Source of Identity Theft

[DAIL, ANDY]

Just lovely..Imagine what gets copied in a University's Financial Aid
office alone..

http://www.cnn.com/2007/TECH/ptech/03/14/photocopier.risks.ap/index.html


SAN JOSE, California (AP) -- Consumers are bombarded with warnings about
identity theft. Publicized threats range from mailbox thieves and lost
laptops to the higher-tech methods of e-mail scams and corporate data
invasions.

Now, experts are warning that photocopiers could be a culprit as well.

That's because most digital copiers manufactured in the past five years
have disk drives -- the same kind of data-storage mechanism found in
computers -- to reproduce documents.

As a result, the seemingly innocuous machines that are commonly used to
spit out copies of tax returns for millions of Americans can retain the
data being scanned.

If the data on the copier's disk aren't protected with encryption or an
overwrite mechanism, and if someone with malicious motives gets access
to the machine, industry experts say sensitive information from original
documents could get into the wrong hands.

Some copier makers are now adding security features, but many of the
digital machines already found in public venues or business offices are
likely still open targets, said Ed McLaughlin, president of Sharp
Document Solutions Company of America.

"You actually have a better chance at winning 10 straight rolls of
roulette than getting those hard drives on copiers rewritten," he said.

Sharp issued a warning about photocopier vulnerabilities Wednesday --
just ahead of tax time.

The company, one of the leading makers of photocopiers, commissioned a
consumer survey that indicated more than half of Americans did not know
copiers carried this data security risk. The telephone survey of 1,005
adults, conducted in January, also showed that 55 percent of Americans
plan to make photocopies and printouts of their tax returns and related
documents.

Of that segment, half planned to make the copies outside their homes --
at offices, libraries and copy shops. An additional 13 percent said they
plan to have their tax preparers make copies.

Although industry and security experts were unable to point to any known
incidents of identity thieves using copiers to steal information, they
said the potential was very real.

"It is a valid concern and most people don't know about it," said Keith
Kmetz, analyst at market researcher IDC. "Copying wasn't like this
before."

Added Paul DeMatteis, a security consultant and teacher at the John Jay
College of Criminal Justice at the City University of New York: "We know
there are bad people out there. Just because this is difficult to detect
doesn't mean it isn't being exploited."

Daniel Katz-Braunschweig, a chief consultant at DataIXL, a business
consulting firm, includes digital copiers among his list of data holes
corporations should try to protect. He couldn't specify names but said a
few of his company clients did learn about the vulnerability after their
copiers were resold and the new owners -- in good faith -- notified them
of the data residing on the disks.

Sharp was among the first to begin offering, a few years ago, a security
kit for its machines to encrypt and overwrite the images being scanned,
so that data aren't stored on the hard disks indefinitely. Xerox Corp.
said in October it would start making a similar security feature
standard across all of its digital copiers.

Randy Cusick, a technical marketing manager at Xerox, said many entities
dealing with sensitive information, such as government agencies,
financial institutions, and defense contractors, already have policies
to make sure copier disks themselves or the data stored on them are
secured or not unwittingly passed along in a machine resale.

Smaller businesses and everyday consumers are less likely to know about
the risk, but should, he said.

Sharp recommends that consumers take precautions, such as asking their
tax preparers or the copy shops they are using about whether their
copier machines have data security installed.

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.