Data Security Threats Lurking in Your Business Printer's Hard Drive

    Jay Brown
    By: Jay Brown
    January 20, 2014

    Most people understand why it’s important to remove sensitive files from a laptop’s hard drive before getting rid of it. However, far fewer know that a printer’s hard drive can store copies of every document it’s ever processed, which means it also needs secure decommissioning. 

    Looking to upgrade, retire, or dispose of your company's printer? Here’s what you should know about protecting your data when a printer reaches the end of its lifecycle.

    How Printer Security Vulnerabilities Have Evolved

    A worker uses a networked business printer with complex capabilities.

    Back in the day, printers were physically connected to computers, and they essentially had one job: create a printed document. That’s all changed. 

    Now, for modern printers to receive files quickly and manage multiple print jobs effectively, they share many features with computers. They’re connected to your systems and data through the internet, and they have hard drives, system memory, operating systems, and software. 

    Just like computers, printers have both volatile memory (similar to RAM) and non-volatile memory (similar to hard drives). Volatile memory disappears when you power off the device, but non-volatile memory persists until it's actively deleted or overwritten.

    The Real Cost of Ignoring Print Data Security

    A digitized depiction of a data breach alert.

    Print security is a big problem, and it’s also not a new problem. In fact, back in 2010, CBS News investigators purchased used copiers from a warehouse in New Jersey, where they discovered a motherload of sensitive documents left on the equipments’ hard drives, including detailed domestic violence complaints and lists of wanted sex offenders from the Buffalo Police Sex Crimes Division, a list of targets in a major drug raid from the Buffalo Police Narcotics Unit, and design plans for a building near Ground Zero plus pay stubs with names, addresses, social security numbers, and $40,000 in copied checks from a New York construction company.

    And that was just on the first three printers that investigators purchased. 

    Printer #4 had been used by Affinity Health Plan, a New York insurance company. Its hard drive revealed 300 pages of individual medical records, including drug prescriptions, blood test results, and a cancer diagnosis.

    Clearly, something as simple as failing to sanitize information from a printer’s memory could easily lead to:

    • Legal and regulatory penalties
    • Revealing sensitive information
    • Identity theft
    • Loss of customer trust

    Printer Security Best Practices at End-of-Life

    Business technology and printer memory components.

    Removing sensitive data from your printers isn’t hard! Here are our recommendations, depending on the type of printer and how it’s being used:

    For Basic Home or Small Office Printers

    If you need to clear recently printed confidential documents from a home office printer, you can overwrite the memory by printing 5 to 10 complex documents (like high-resolution images or graphics-heavy files).

    For volatile memory, just unplug your printer for 60 seconds to clear temporary data.

    For Advanced, Multifunction Devices

    Advanced office printers with hard drives measured in gigabytes require a bit more effort. Most modern enterprise printers come equipped with built-in security features, but they’re not all the same.

    It's important to note that simple deletion does not erase data on either HDDs or SSDs. It only marks the space as available, leaving the underlying data intact until it is overwritten. As a result, the information can often be recovered with forensic tools unless proper secure erase methods are used.

    If you’ll be taking care of your printer’s decommissioning in-house, be sure to ask your device’s manufacturer about the data sanitization procedures recommended for your specific printer, often referred to as end-of-lease features. Important note, however, proceed with caution: some copiers store their firmware (operating system) on the drive, and some types of sanitization will destroy these files, potentially damaging equipment, or even voiding your lease.

    For organizations working with Marco, great news! Marco provides complementary data sanitization services on all print devices returned through a Marco facility. This includes a full multi-pass overwrite of HDDs (equivalent destruction for SSDs), and clearing of NVRAM. This program is offered for all customers at no additional cost.

    If you work with another vendor, here’s what we’d recommend:

    1. Ask your vendor to irrecoverably erase the hard drive according to industry best practices and security standards
    2. Alternatively, request that the hard drive be removed and returned to you for secure storage or destruction (fees may apply)
    3. Make sure you get a Certificate of Hard Drive Disposition as proof of proper data destruction (always retain a paper trail for your security controls' operating effectiveness)

    Pro tip: Not every print provider has kept up with security. So don’t just assume your print provider is securely decommissioning your equipment unless it’s specified in your contract! Even then, be sure you are requesting certificates of destruction to ensure compliance with your agreements.

    Print & Data Security for Active Devices

    Protecting your data when you’re retiring your printer is important, but so is protecting your data while your printer is still being used. That’s also not happening as often as it should.

    Your print security strategy should include:

    • Data encryption on printer hard drives and memory
    • Secure authentication requiring users to verify their identity before documents are released (pull-printing or follow-me printing)
    • Regular firmware updates to patch security vulnerabilities (fees may apply)
    • Hardening device configurations, including changed default passwords and disabled unused ports and protocols
    • Print monitoring software to track who is printing what and identify unusual activity

    Incidentally, in that story we mentioned earlier, the Buffalo Police Department’s printer still had a hard copy left lying on the glass inside the machine. Anyone who bought that printer, even someone with no technical skills whatsoever, would immediately be able to see sensitive information, and also get a strong sense of what else might be inside.

    And that brings us to our next point — not all print security threats are digital! Sensitive documents left lying unattended in a print tray can also be a big security risk, all by themselves.

    Getting Help Implementing a Robust Print Data Protection Strategy

    A comprehensive print data protection strategy should address printer security from initial configuration and daily use to secure decommissioning. This holistic approach ensures no gaps in your security posture that cybercriminals or a disgruntled employee could exploit.

    Unfortunately, it’s not always easy to find a print provider that can do that. Less than one-third of organizations are satisfied with their print supplier's security capabilities, with many providers lacking dedicated print security teams or the resources to keep pace with evolving threats.

    At Marco, print security isn't an add-on service. It's standard for all managed print services clients. And you don’t have to wonder whether or not we’re consistently following best practices. We’ve achieved a SOC 2 Type 2 certification for both our managed IT and managed print services. Learn more about our security-first approach in our Managed Print Services 101 guide below! 

    Get Managed Print Services 101: The Complete Guide Find everything you need to know here

     
    Topics: Copiers & Printers, Print Security, cybersecurity