As schools take steps to protect the security and integrity of data on their computer networks, experts warn they also should consider securing copiers and scanners that could be used to copy sensitive information.

Most digital copiers manufactured in the past five years have disk drives–the same kind of data-storage mechanism found in computers–to reproduce documents. As a result, the seemingly innocuous machines that are commonly used to spit out copies of student records, tests, and employee information can retain the data being scanned.

If the data on a copier’s disk aren’t protected with encryption or an overwrite mechanism, and if someone with malicious motives has access to the machine, industry experts say sensitive information from original documents could get into the wrong hands.

Some copier makers are now adding security features, but many of the digital machines already found in schools, public venues, or business offices still are likely open targets, said Ed McLaughlin, president of Sharp Document Solutions Company of America.

“You actually have a better chance at winning 10 straight rolls of roulette than getting those hard drives on copiers rewritten,” he said.

Sharp is issuing a warning about photocopier vulnerabilities in conjunction with tax season–but it isn’t just people who make copies of their tax returns who are at risk, the company said.

“Schools are probably the most vulnerable” institutions, said Mike Marusic, Sharp’s vice president of marketing, in an interview with eSchool News.

In many cases, Marusic said, a central administrative or IT department monitors an entire school’s or district’s copiers using each machine’s Internet Protocol (IP) address.

“What people don’t realize is that, because [the copiers are] managed remotely, other people [might] have access to [them],” he said.

Schools can take action in several ways, Marusic said. One option is to close IP ports. When a copier is being installed in a school, he explained, the IT staff should close IP ports to ensure there is only one access point to the machine. In addition, schools can use media access control (MAC) filtering, which corresponds to a MAC address–the unique number on each computer. IT staff can tell a copier or printer to accept commands only from specified MAC addresses, Marusic said, meaning outside access by hackers is restricted.

Many schools employ these methods to keep their networks secure, Marusic said–but they might not think of protecting their copy machines.

“IP port closure is becoming more and more common,” he said.

Many schools place a copier’s IP address on the front of the machine for convenience in case of troubleshooting, Marusic said–but putting the address in such a prominent location makes it easy for anyone (such as an outside maintenance worker or a student in the office) to see it, write it down, and then access the machine from another location.

And schools should not cull students from the list of those who might try to access sensitive information.

“Students are naturally inquisitive about their programming capabilities, and where there’s a will, there’s a way,” Marusic said.

Sharp commissioned a consumer survey that indicated more than half of Americans did not know copiers carried this data security risk. The telephone survey of 1,005 adults, conducted in January, also showed that 55 percent of Americans planned to make photocopies and printouts of their tax returns and related documents.

Of that segment, half planned to make the copies outside their homes–at offices, libraries, and copy shops. An additional 13 percent said they planned to have their tax preparers make copies.

Although industry and security experts were unable to point to any known incidents of identity thieves using copiers to steal information, they agreed the potential was real.

“It is a valid concern, and most people don’t know about it,” said Keith Kmetz, an analyst at market research firm IDC. “Copying wasn’t like this before.”

“We know there are bad people out there. Just because this is difficult to detect doesn’t mean it isn’t being exploited,” said Paul DeMatteis, a security consultant and teacher at the John Jay College of Criminal Justice at the City University of New York.

Daniel Katz-Braunschweig, a chief consultant at Data|XL, a business consulting firm, includes digital copiers among his list of data holes that institutions should try to protect. He couldn’t specify names but said a few of his corporate clients learned about the vulnerability after their copiers were resold and the new owners–in good faith–notified them of the data residing on the disks.

Sharp was among the first to begin offering, a few years ago, a security kit for its machines to encrypt and overwrite the images being scanned, so that data aren’t stored on the hard disks indefinitely. Xerox Corp. said in October it would start making a similar security feature standard across all of its digital copiers.

Randy Cusick, a technical marketing manager at Xerox, said many entities dealing with sensitive information–such as government agencies, financial institutions, and defense contractors–already have policies to make sure copier disks themselves or the data stored on them are secured or not unwittingly passed along in a machine resale.

Smaller businesses, schools, and everyday consumers are less likely to know about the risk, but they should, he said.

Links:

Sharp Document Solutions Company of America
http://www.sharpusa.com

Xerox Corp.
http://www.xerox.com