SMU takes steps to maintain copier hard-drive security

Copier control pad stock photoData security issues ranging from software bugs to social network privacy have made news this year – and one of the biggest stories has involved the ease with which sensitive data can be retrieved from office copiers.

Almost every copier manufactured since 2002 has a built-in hard drive. As the copier is used to copy, scan, fax, e-mail or print a document, an image of that document is stored on the hard drive. That image remains on the drive until overwritten by a subsequent job.

As a result, a copier hard drive may contain snapshots of pay stubs, Social Security information, insurance documents, birth certificates, bank records, credit card statements, income tax forms, confidential memos and other data that can be used for identity theft and other malicious purposes.

> CBS News: Digital Photocopiers Loaded With Secrets

SMU’s copier fleet, which is leased from ImageNet Inc., stores data on embedded hard drives during the normal course of machine usage. SMU’s Auxiliary Services, Mail Central and Office of Information Technology are working together to ensure any data stored on these drives is protected and the data is wiped from the drives as the copiers are retired.

Both Canon and HP – the manufacturers of the copiers SMU leases from ImageNet – have taken measures to protect the data on their hard drives. These measures range from using proprietary file systems on the hard drive to writing the data to the hard drive in noncontiguous space, making it difficult to retrieve and reassemble. Both machine providers also offer the ability to encrypt the data as it resides on the hard drive.

“The security and privacy of our information assets are our highest priority at SMU,” says Joe Gargiulo, SMU’s chief information officer. “Security is everyone’s responsibility, so it’s important that we work with all departments that have copy machines to make them aware of the potential vulnerabilities of copier hard drives.

“OIT has been diligently working with our copy machine vendor to ensure that the hard drives are encrypted, that they are protected from the Internet, and that the hard drives are erased before returning to the vendor.”

Departments should be aware of the issue as well, and report any suspicious individuals attempting to service a copy machine, Gargiulo adds.

As Mail Central coordinates the replacement of the University’s copier fleet, personnel are working closely with ImageNet to ensure each copier hard drive is wiped clean before the copiers are retired. ImageNet will provide SMU with a letter of certification for each copier as its hard drive has been wiped.

When new copiers are put in place, encryption will be enabled for each hard drive to ensure the data it contains is not recoverable if the drive is removed from the machine. In addition, the network connections to the copiers are being secured to ensure no one can gain access to the data on the drives through the network.

For more information on SMU’s copier program, contact Patrick Cullen, assistant director of auxiliary services, 214-768-3400.

> Visit the Office of Information Technology’s Information Security page
> Visit the Auxiliary Services homepage
> Visit Mail Central online