Copiers: Gold Mines for Identity Theft
Your doctor, lawyer, or tax preparer could all be unwittingly giving away your very private information. And they're doing it by using copy machines. You may already be a victim and not even know it, reports Tony Lopez of CBS Station KOVR in Sacramento.
The copy machine is an important and seemingly harmless part of our lives. And when it's time to upgrade, the old ones are sometimes sent to e-waste centers for recycling, but usually they wind-up in a wholesale warehouse on the used copier market.
KOVR went to one of two in Sacramento with John Juntunen, an expert on the copy machine business. There were hundreds of machines, shrink wrapped, and ready to shipment.
"You're looking at 15, 20 thousand documents each" Juntunen says - documents that still reside inside. Most copy machines use hard drives to store every document that has been scanned, printed, faxed, or e-mailed.
That electronic file will stay there until someone removes it or new documents push out the oldest ones.
"But this machine here, I can tell it hasn't been cleaned because of the IP-address on it" he says.
Juntunen, and his company Digital Copier Security, specialize in removing the data on those drives; they're hired by companies who know the importance of doing that before getting rid of their copiers.
As easy as tapping the screen, he finds files and is able to print them. One is a confidential child support application.
Like any potential buyer can do here, he connects a computer that allows him to see, download and print whatever is on the hard drive of one of these copiers.
One is a local machine from McCarthy Construction, a major commercial builder. On it, he finds what are clearly marked "confidential" financial statements.
We took it to their Roseville office. A vice president confirmed it is highly confidential, but was confused about how we had gotten it; he didn't want to talk beyond that.
"So here's documents that are stored on the machine" Juntunen shows us. Another machine, more documents -- it's just too easy.
This time we find financial records, including an IRA application for a woman named Marilynne Boyd. Marilynne's husband Harold couldn't believe what we had.
"They have the address, the social security number, they have the date of birth, I mean it's ridiculous" he says while reading the paper we gave him. And it's all in one document.
"It basically becomes an identity thief's dream" says Sean O'Leary. He's the senior analyst for Digital Copier Security. He says laws that prevent the release of private information aren't being enforced when it comes to copier data.
He blames a lack of awareness by authorities and by the businesses themselves.
The moment a copier, rich with files, leaves, let's say, a medical office, patient privacy laws have been violated. "The medical practitioners lost control of that medical file at that point, and that's information that nobody should have" O'Leary says.
Juntunen's office is filled with hundreds of hard drives, many containing thousands of files.
This drive came to us from a customer who bought the used copier from that wholesaler in Sacramento.
He replaced it with a new one but noticed it was loaded with files. On it - a document full of names and numbers, but there was one that caught us by complete surprise - the private information of Caroline Kennedy, the political family scion, socialite and sometime candidate. We dialed Mrs. Kennedy's home number, and her husband Edwin Schlossberg answered.
He had no interest in talking about how their privacy was compromised, and asked us to tear up the paper.
The next day, Mrs. Kennedy's assistant called to tell us "Caroline appreciates us bringing this issue to her attention. She was very surprised to hear about this and was not aware [of the problem]."
That page is one of dozens that were retrieved from a copier recently used by the bay area's Omidyar Networks." It's a philanthropic investment firm and was established by Pierre Omidyar, the founder of E-bay.
Also on that drive - files containing Omidyar business partners: billionaire financier George Soros and Google.
Among the documents there were e-mails, account summaries, budgets, non-disclosure agreements, and the Omidyar's financial contributions. And there was a document that contained the signature of a Google vice president and general counsel.
Right now, no one has a legal responsibility to wipe copier drives clean of potentially damaging data. Warehouses all over America are full of used copy machines containing millions of files just waiting to be mined by unscrupulous criminal profiteers.
Even more worrisome is that an estimated 70 percent of these machines will ultimately land overseas in China, Europe, everywhere. And data-filled hard drives that are salvaged from machines sent to E-waste recyclers; many will wind up for sale online.
"[It's an] issue that's going to have major ramifications. It's going to hit like a ton of bricks when it does hit" warns O'Leary.
Meanwhile, consumers like Harold Boyd and his wife are left, at best, wondering what's next.
"Uh, you and I will sit down and talk about because we don't know what's out there now. I mean this really scares you" Harold tells his wife over the phone.
Omidyar Networks said it appreciated us bringing this issue to their attention, and that it's using built-in security systems to protect the data on its copiers.
There is security software that offers some protection for the data on those hard drives but experts say they're not always used, and they're not 100 percent effective.
Digital Copier Security says its efforts to raise awareness are being met with indifference by authorities, copier dealers and lawmakers.
They say copier companies are reluctant to tell their customers about this document retention issue, because it would likely cost them an extra hundreds of dollars on top of the copiers cost.
Also know that public copiers like those at grocery stores, drug stores, and copy centers all likely have hard drives. You may want to ask management about their privacy policy regarding the data that's stored on those machines.