Brian Harkin for The New York Times

While it’s common knowledge that leaving sensitive personal information in trash bins or on computers raises the risk of identity theft, many consumers may not be aware that copying sensitive information on certain copy machines could also put them at risk.

Last month, CBS News highlighted the identity theft threat from copiers in an investigative report “Copy Machines, a Security Risk?”

In the CBS report, which we learned about from the Beyond Paycheck to Paycheck blog, the correspondent, Armen Keteyian, noted that many copiers contained hard drives filled with images of every document they’d ever copied. Often, owners don’t wipe these hard drives clean before selling the machines.

Mr. Keteyian demonstrated how easy it would be for this data, which often includes sensitive information like Social Security numbers and medical records, to fall into the wrong hands. CBS and the founder of a company that sells software to delete data on copier hard drives purchased four old copiers from a warehouse in New Jersey and found loads of sensitive data stored in the copiers.

This has apparently been a known risk for some time now, though this is the first we at Bucks (and many security professionals) had heard about it. “It kind of hit everybody with a bombshell, including a lot of security people,” said Rex Davis, director of operations at the Identity Theft Resource Center in San Diego, which is working on its first fact sheet about the risk. “I don’t think anyone perceived that the hard drive would keep an image of a previous job for an indefinite period of time.”

As a result of the CBS report, at least one lawmaker has called for an investigation into the storing of documents on the hard drives of digital copiers. Any kind of government action may be a while off, however, so here’s some information to help consumers understand the risk and protect themselves.



First, many consumers may be wondering how widespread photocopier-related identity theft is. The answer is not widespread, yet. According to CBS, before its April 19 report there were no known crimes related to information from copy machine hard drives, and the only known breach so far was actually CBS’s discovery of sensitive medical information on one of the four machines.

Still, Linda Foley, founder of the Identity Theft Resource Center, said that the CBS report was likely to prompt additional cases. “Unfortunately, now that it has been brought to the public attention, there will be thieves thinking ‘Oh, what a great idea,’” she said.

So what can consumers do to protect themselves? First, before copying sensitive information on your office copier, ask the information technology staff if the copier is one with a hard drive. According to Mr. Davis of the Identity Theft Resource Center, hard drives tend to be found only in high-end digital copiers that cost thousands of dollars and can handle large copy jobs quickly. If your employer’s copier doesn’t have a hard drive, you probably don’t need to worry about copying your information. (Just don’t leave your originals behind.)

If your employer does have such a copier, ask if there is a policy in place for scrubbing information off the hard drive or protecting the data somehow, especially when your employer is ready to get rid of the machine. In recent years, major copier manufacturers have started publicizing the risk of copier hard drive data breaches and offering security or encryption packages on their products that companies can purchase for an extra charge.

But if your employer doesn’t have a package like that, you’ll have to find somewhere else to copy sensitive information. You should be wary of using a public copier. According to Mr. Davis, before making copies at a copy center like Kinko’s, you should ask the copy center the same questions you would ask your employer.

The safest bet, he said, may be to invest in a personal printer-copier-scanner for your home like the ones made by Hewlett-Packard. While these machines are slower than most machines at an office, “the cost of an extra minute or two in order to make sure your personal information doesn’t get outed at some point is really cheap,” Mr. Davis said. You may also want to consider putting a security freeze on your credit files, which, while not foolproof, does help prevent many kinds of identity theft.

How are you protecting yourself from copier-related identity theft? What kind of home copier would you recommend?