Photocopiers: a potential privacy risk
We have all heard the stories of highly confidential or personal documents found in discarded filing cabinets or industrial rubbish bins. However, did you know the humble photocopier or multi-function printer could be the source of a privacy breach?
In April 2010, CBS news reported1 identify thieves could access personal information contained in the hard drive of discarded photocopiers. The report indicated it only took a couple of hours to unlock the treasure trove of information stored within four purchased second hand photocopiers. One hard drive contained 300 pages of an individual’s health record, including information about medications and pathology tests.
Photocopiers or multi-function printers manufactured after 2002 have the capacity to store thousands of images on their hard drive. This means every document copied, scanned, faxed or emailed could be vulnerable to unauthorised access.
Each day, Queensland government agencies handle and process thousands of documents containing personal information. A significant number of these documents pass through an agency’s photocopier or multi-function printer resulting in the collection and storage of personal information on the hard drive.
Queensland government agencies must comply with the Information Privacy Act 2009. The Act governs how Queensland Government agencies collect, store, use and disclose personal information. The careless, negligent or accidental disclosure of information may be a breach of the Act. Therefore, it is imperative that agencies take appropriate action to protect the personal information they collect. This includes personal information collected by photocopiers or multi-function printers.
Tips for protecting personal information:
- Develop procedures and practices to ensure the printer hard drive is cleansed before its disposal
- Ensure printer leasing contracts include a clause for cleansing data, in accordance with industry best practices, when the lease expires or it is decommissioned
- Turn off the ability for the USB &/or SD card readers on the printer to be used. It is a potential path for the introduction of virus/malware or the ability to copy to/from the hard drive
- Use of a ‘FollowMe’ type solution which ensures print outs are only accessible by the person requesting them
- Use encryption in transit between the print server and the printer to prevents potential traffic sniffing
- Configure the printer &/or print server to automatically delete print jobs after a set period of time (e.g. 24 hours)
- Regularly check printer network connections for any odd looking box or device that may exist between the wall port and the print LAN cable port. This could be a ‘man in the middle’ security breach
- When undertaking security penetration testing, include the printer/s in the scope of work.
Check out our Guidelines and Information Sheets for more information about your information access and privacy rights and responsibilities,
 CBS News: Digital photocopiers loaded with secrets: April 19 2010.