Several months ago, more than 400,000 New Yorkers received a data breach notification from health care provider Affinity Health Plan. But the warning wasn't due to the usual culprits, hackers who break into corporate computer systems. Rather, it was prompted by a single office copying machine.
You might not think a photocopier could cause such harm. But consider this: Starting in 2002, most copiers manufactured for use by businesses, libraries and copy centers have been equipped with computer hard drives.
"Every time you make a copy, print, scan, e-mail or send a fax from that machine, it makes and stores images of the document to the hard drive," says copier security expert John Juntunen. Unless the hard drive is erased or replaced, images of copied documents — including those with Social Security numbers, bank account information or medical files — remain stored inside the machine.
"The problem is, about 90 percent of office copy machines in the U.S. are leased," he adds, "and when those leases are over, most of those returned machines are exported or resold without anyone touching them."
For now, there is no evidence that identity thieves have used information left over in copiers, says Juntunen, whose company, Digital Copier Security, provides technology that deletes data from copier hard drives.
But the potential is clearly there. Earlier this year, CBS News accompanied Juntunen to a New Jersey warehouse and bought four copiers that had been leased and returned. One of the machines, formerly used at an Affinity Health Plan office, yielded medical records of nine individuals. Based on that machine and Affinity's use of many more hard-drive-equipped copiers, the company sent out its mass notice of a potential data breach. The machines also contained police records and pay stubs with Social Security numbers.
In May, Rep. Edward Markey, D-Mass., called for an investigation. And the Federal Trade Commission announced that it was "reaching out to copier manufacturers, resellers, and retail copy and office supply stores to ensure that they are aware of the privacy risks."
Most manufacturers had already acted. Copiers made since 2007 have been equipped with built-in technology that allows the erasing or encrypting of hard drives. "The real problem is with machines made from 2003 to 2007," says Juntunen. Huge numbers of them remain in use across the country — possibly at your library or doctor's office.
So how can you protect yourself?
- When you copy sensitive documents, try to use a home printer that has a copy function. That machine is unlikely to help identity thieves: Most home printers that generate 20 or fewer pages per minute have no hard drives.
- If you must use a public copier, ask the people who oversee it how they protect users' information. Such inquiries will raise awareness of the issue and in the long term encourage the erasing of the machines' drives. "No one wants to be responsible for resulting problems," says Juntunen.
- Ask whether the machine is owned or leased. Owned copiers are less likely to be resold and reach scammers.
Sid Kirchheimer is the author of Scam-Proof Your Life, published by AARP Books/Sterling.