CBS Copier Security Investigation & What You Need to Know

Submitted by Rick Dastin, president of the Xerox Global Products Delivery Group

The CBS Evening News last night featured a story about copier security. As we’ve been saying for years, copiers or multifunction printers (MFPs) are at risk for a data breach just like a laptop or desktop PC and CBS proved this by extracting data from MFPs purchased secondhand

Security is not a trend for Xerox. For years customers have been joining Xerox and other experts at thought-leadership events to discuss internal and external data threats, this event is one example from 2008 where Xerox joined customers in Los Angeles
Security is not a trend for Xerox. For years customers have been joining Xerox and other experts at thought-leadership events to discuss internal and external data threats, this event is one example from 2008 where Xerox joined customers in Los Angeles

This investigation may have you wondering about the security of the data that has flowed through your MFPs. Here’s what Xerox customers should be confident in knowing:

  • Xerox’s Image Overwrite feature, free with most Xerox MFPs, electronically “shreds” information stored on the hard disk of our machines.
  • On MFPs with hard drives we offer options for removal of the hard drive before the MFP is disposed of or turned in after a lease.
  • State-of-the-art encryption ensures all data in and out of the Xerox MFP is unreadable.
  • Product documentation (available on Xerox.com) will help you better understand the steps necessary to wipe the MFP if required before disposing of or trading in for new equipment.

The security of office printers and MFPs has been a focus of Xerox ever since we began introducing digital copiers. In the mid-90’s, we were one of the first to introduce the secure print feature, an option that safely stores jobs in the machine until the owner enters a PIN to release them. Security remains an industry-wide and longstanding challenge that has received the best of Xerox’s research and innovation.

But it’s more than the technology that we’re concerned with. Everyday Xerox works directly with its customers to assess their security needs. We help identify where their information resides, how it is transferred and detect the greatest areas of risk. Only by working together to create a data security plan that combines technology and policy can we protect our customers. We regularly host educational workshops across the country focused on this issue and maintain a website for customers with up-to-the-minute information on security features, vulnerabilities, patches and policy recommendations: www.xerox.com/security.

Stories like CBS’ are good reminders about how important it is to carefully evaluate the security measures built into the MFPs you are currently using or considering purchasing and to choose a vendor partner who will collaborate with you on a data protection strategy. It’s also a great prompt for those with older MFPs to make sure the security features available are enabled, and if needed, purchased.

Your local Xerox sales representative wants to talk to you about your concerns and security needs, don’t hesitate to contact them. And I’d love to continue the conversation in the comments, please share your thoughts.Globe Theater

— Rick Dastin, president of the Xerox Global Products Delivery Group

Related Posts

Receive Updates

25 Comments

  1. uberVU - social comments April 20, 2010 - Reply

    Social comments and analytics for this post…

    This post was mentioned on Twitter by XeroxCorp: CBS Copier Security Investigation & What You Need to Know http://bit.ly/cNlVPG

  2. Online Connect UK April 21, 2010 - Reply

    I think its good that people are focusiing on security of photocopiers and its nice to see such a quick response from Xerox. I also have wrote an article that may be of interest to your readers.
    http://onlineconnect.wordpress.com/2010/04/21/security-threat-of-digital-photocopiers-worse-than-cbs-reported/

  3. […] types of data breaches are eminently avoidable;  Manufacturers of multifunction devices such as Xerox and Sharp provide security software for their products which implements encryption and secure […]

  4. Sanjeev Mahajan April 24, 2010 - Reply

    In India used copeirs /mfd have a lrager share ofmarket than new machines and most of machines come from USA or Europe with Xerox being the No 2 player following Canon. In several machines we have HD full of valuable (to some ) information and most of importers are able to clean and refurbish machines and not equipped to deal with the software /HD and so quite often atleast one in three the new end user has ability to print docs from HD or even send electronically the files still stored in HD /memory . maybe the local Xerox company can approach the big dealers importers and clean machines before they sell the used machines …therefore it is not about ability of the equipment to do what is claimed but about the steps that need to be followed by people to ensure data security at all levels in the supply chain from the IT manager selling or letting go the machines to the buyer of used machines in the country of origin down to the reseller in the importing country.

    • Guest Blogger April 26, 2010 - Reply

      Hi Sanjeev,
      Thanks for weighing in on this important topic. I lead Xerox’s product security group, and can tell you that it’s critical for customers and distributors of Xerox MFPs, and all MFPs, to understand the value of erasing a machine’s hard drive before an MFP is turned in when the lease expires, or sent for recycling. We continue to educate customers on the importance of protecting their information, and inform them that they are ultimately responsible for any data left on an old machine similar to PCs and laptops. We encourage use of Xerox’s Image Overwrite security option, free on most Xerox MFPs, that electronically “shreds” information stored on the hard disk of machines as part of the routine job processing. We also offer a hard disk removal service where a Xerox technician will remove the hard drive and turn it over to the customer for disposal.

      Larry Kovnat
      http://www.xerox.com/information-security/product-security/enus.html

  5. Kerry Sainsbury April 27, 2010 - Reply

    Hi Larry,

    What’s the explanation for why files remain on the hard disk for any length of time? Surely they should be automatically deleted moments after the document has been scanned/emailed/printed/whatever?

    Also, when you say “State-of-the-art encryption ensures all data in and out of the Xerox MFP is unreadable” are you saying that the disk files created are encrypted. That sounds like a good idea, and if true, surely there is no problem with anybody being able to retrieve data from the hard disk — whether they “shred” data or not.

    I don’t understand the need for anybody to manually “shred” data if the data is encrypted (and I don’t understand why it wouldn’t be encrypted!)

    Cheers
    Kerry

    • Guest Blogger April 28, 2010 - Reply

      Kerry – Thanks for continuing the discussion. To answer your question about why data might remain on the hard drive for any length of time after it is copied/e-mailed/etc., it really comes down to different customer needs. Customers can enable the Image Overwrite feature so that the image is immediately erased after the job is completed, but they can also set different time parameters based on their specific security needs. For example, some companies may want a record of what is copied on an MFP, so they can check on a weekly basis to ensure sensitive data isn’t being duplicated. This customer may prefer the Image Overwrite feature to run on a weekly basis, right after they’ve checked the data for other reasons, as opposed to immediately.

      Specific to data encryption, Image Overwrite and disk encryption work together to counter different threats. Image Overwrite makes sure that any residual data remaining after a job is completed is destroyed while encryption protects data that is still being processed. The best protection is offered by using the features together, but it’s ultimately the customer who determines how to best put these solutions into practice.

      Thanks for weighing in!

      Larry

  6. […] feature is available on most of there digital copiers and this electronically shreds information.(Xerox Securty Information). Sharp also offer a security kit that encrypts data on the hard drive and shreds stored […]

  7. Craig May 6, 2010 - Reply

    Larry, is this feature enabled by default, or just installed by default? I ask because it seems to be present, but disabled, on all the copiers I have checked so far. I have reached out to my local office to get that remedied but I think it’s an important distinction for the people who might be reading this thread. Thanks!

    Craig

    • Karen Arena May 7, 2010 - Reply

      Craig:
      You were reading our minds! We just developed and posted earlier today on http://www.xerox.com/security a reference document “Data Protection: Image Overwrite, Encryption and Disk Removal” to assist people looking for additional information on their Xerox devices. You’ll find under the “Just Released” section. Among the many security issues we cover in the document, there’s a table which will help people identify Xerox products containing disks or other non-volatile storage and whether those products include image overwrite capability and/or disk encryption. Thanks for helping us get the word out.

  8. […] and we take proactive steps to continuously maintain the security of devices in the field. Read the blog entry submitted by Rick Dastin, President of the Xerox Global Products Delivery […]

  9. Jamie May 11, 2010 - Reply

    I’m sad to learn that our Xerox DocuCentre 265 MPF offers neither Image Overwrite nor Encryption:

    http://www.xerox.com/downloads/usa/en/c/cert_Xerox_Product_Security-Data_Protection.pdf

    Sad cat is sad. 🙁

  10. Wendell from Hawaii May 18, 2010 - Reply

    What happens to those Canon copiers traded in and picked up by Xerox as trade ins for our new leased Xerox copiers? Are those Canon copier HDs destroyed or are the Canon copiers resold on the open market and its accountability and disposition status lost forever? What is Xerox’s stated policy on preventing identity thefts from these traded in non-Xerox copier HDs? Curious Wendell from Hawaii

  11. Larry Kovnat May 19, 2010 - Reply

    Hi Wendell, our approach is simple regarding competitive machines that are traded in for Xerox machines: all competitive machines that are traded in and picked up by Xerox are destroyed.

  12. […] Real Business at Xerox Blog – CBS Copier Security Investigation & What You Need to Know http://realbusinessatxerox.blogs.xerox.com/2010/04/20/cbs-copier-security-investigation-what-you-nee… […]

  13. Sasha June 17, 2010 - Reply

    It’s good that Xerox has addressed this concern with the soonest possible time, because a lot of Xerox machine users are very concerned with the security of the data that they try to copy/scan/print on their Xerox machines. It’s also a good thing that they have certain sites that have blogs like this one which helps enlighten everyone.

  14. Kerry Mulder July 15, 2010 - Reply

    I think this is an important topic. Security is one of the features that customers are increasingly interested in when considering buying new equipment.

  15. […] need remove the hard drive before reselling, donating, or trading in your office equipment.  More on electronic file shredding can be found here! Did you like this? Share it:Tweet Posted in Copiers | « Shady business practices to watch […]

  16. […] been highlighting the issues of information security for years, even writing a few posts on this blog; but we would not have been able to create as much spontaneous education as this story did – […]

  17. Fay Elizabeth April 26, 2011 - Reply

    How do i just say such a relief to seek out a person that actually knows what theyre talking about over the internet. You actually recognize how to bring a major problem to light making it important. More people ought to you might need and can see this side of your story. I cant believe youre no more popular because you definitely offer the gift.

  18. Robert Johnson June 18, 2011 - Reply

    What about the security of Xerox clone files. They contain passwords and other configuration data. Are these passwords encrypted. How well is the security/encryption if it does exist.

  19. Larry Kovnat June 21, 2011 - Reply

    Thanks for your note Robert.
    Clone files allow simple replication of configuration when a new machine is installed. If network scanning is enabled on the device, it is often useful to clone the account settings and credentials for the network repository. This is a user option – the user has the ability, when creating scan-to-file templates, to select whether credentials will be clonable. Selecting the non-clonable option for passwords is the most secure, but will require that the credentials be entered manually.

  20. service options September 3, 2014 - Reply

    First of all I want to say terrific blog! I had a quick question which I’d like to ask if you don’t mind.
    I was interested to know how you center yourself
    and clear your head prior to writing. I have had a difficult
    time clearing my thoughts in getting my ideas out.
    I do enjoy writing but it just seems like the first 10 to 15 minutes tend to
    be lost just trying to figure out how to begin. Any
    recommendations or tips? Thanks!

    • Gregory Pings September 3, 2014 - Reply

      I’ve found that if I’m centered and my head is clear, then I can’t write. Writing happens when there’s something inside the head that has to come out, and it wants to come out so urgently that it will bump up and compete against other thoughts and ideas that also want to come out. For me, the process of writing is sloppy, unorganized, and just a little bit dirty. Thank God for computers — if I had to retype all of my copy every time I make a change, I might still be writing my senior thesis.

  21. Brain June 6, 2016 - Reply

    This is very important topic about security and passwords.

Post A Comment

Your email address will not be published. Required fields are marked *

To see how we protect your personal data, view our Privacy Policy.