|Professional and Confidential Investigations
|Finding the Information
Maryland PI Spotlight
|Phone: (443) 992-7470 Fax: (410) 549-6817
|How Companies are giving away sensitive data
and don't even realize it
|How Companies Are Giving Away Sensitive Data and Don’t Even Realize It
By M.R., Aris Investigations
Your company knows of all the laws governing privacy and you take security and privacy
seriously. You make sure your company documents are secured correctly in accordance
with all the state and federal laws and possibly even as per agreements signed with clients
and/or the government, if you are a government contractor. File cabinets are locked,
rooms are secured, and cameras might even be installed, recording even a fly’s attempts to
breach the security. The IT Department is diligent with permissions on the data on the
network and company computers. Internal policies may have been written and you have
meetings and trainings. All is good right? Then why are you simply giving all your
Accounting, HR and client records to everyone?
What, you say? “How dare you!” you may be thinking. However, if your company owns or rents a copier or more, you may be, in fact,
giving all your and your employees’ and clients’ data away. Think about what you or your company does on a copier/printer/scanner. You
print checks, copy HR records, scan client documents, copy or print medical records, and maybe an employee sneaks the copy machine to
copy their tax return. All of those types of records have Social Security numbers on them, names, addresses, salaries, client rates,
government information, personal medical information, etc. All of these copiers have hard drives in them. They may not be as easily
accessible as a work station hard drive so you may not even realize they are in there, but they are. Like any hard drive, they store all that
data, even if erased through the copier. Even formatting the drive is not a sure way to erase that data forever.
So what do you do when the copier lease term is up or the copier is too old and you purchase another one? Most likely you give it back to
the lease company and get a new one or if you own it, sell it on Ebay, take it to the recycler or landfill or donate it. Especially if it is not
working, most people think there is no way anyone else is going to do anything with it. But in all those circumstances the hard drive is
still there and almost always readable in some fashion.
A lot of copier companies do not scrub the drives or install new ones. Surely if you donate or sell it the drives are not erased. Even if the
hard drive is damaged it can still be read in many cases. A lot of these copiers are refurbished and then sold to be used by another
company or they are shipped overseas to be used with the hard drive that your company left it in tact and readable. Identity thieves
routinely look through the junk yard or buy cheap copiers for the hard drives and the data left on them. Simple online free forensic
software is all they need to get Social Security numbers, bank account numbers, names, addresses, personal identification numbers,
passwords, government information, etc.
So all those days, months and years spent protecting that data in the office gets handed right to an identity thief. If it makes you feel any
better, I am sure the thief is thanking you for the information. But, that probably isn’t a consolation is it?
So instead of getting mad, let’s get even. First thing to do if you lease the copiers is to contact the copier company you have a contract
with and determine their policies on scrubbing the hard drives once you return the unit at the end of the lease.
If they don’t have a policy, then work out with them a plan to watch them remove the hard drive when the lease is up. Take the hard drive
into your possession and return the copier to them without the hard drive. They may charge you a small fee for this. However, it is worth
it to be sure the drive with all your data does not get into the wrong hands. On the next lease, work this out ahead of time and request
this service for free. If they won’t, copier sales are very competitive and my bet is their competitors will. Especially if they know this is
all it will take to sign you up.
If they do have a policy to scrub the drives once you return them, decide whether you trust they really do that or are just handing you a
comforting line. If it were me, I would still feel better working out a plan to watch them remove the drive and hand it to me before they
take the old copier away.
Then you need to dispose of the hard drive(s). There are many companies that will come out and shred them for you. Shred you say?
Yes, the shredder is in a large truck and it is really cool to watch. Bring some popcorn and keep your fingers clear of the truck. It will not
be worth calling the shredder out for one drive; however. If you frequently have older workstations that you are replacing every couple
years, hold the copier hard drive in a safe secure place and call the shredder in when you have all the old workstation hard drives. Yes,
you should be doing this with old workstation hard drives as well. Data never gets erased off the drive when you hit delete. Identity and
information thieves love old workstations too. Why hack into a company when they are handing you their computers in the form of
donations and landfill fodder. Drives can be scrubbed rather easily by you; however, nothing beats shredding them for peace of mind that
no one will ever get that data off. It is hard to get data off a hard drive that’s in a couple hundred pieces!
If you own the copier, just make sure you remove the drive yourself or call your copier service company in to do it and either have them
replace the drive and reload the software onto the new drive prior to selling the copier or sell it minus the hard drive. Then dispose of the
drive as mentioned above.
Now you can be sure your data isn’t getting handed right out the door and you can have the last laugh thinking about an identity thief
scouring your copier’s freshly loaded new hard drive only to find a test print.
|Copyright © 2011-2013 Aris Investigations, Inc.