PCI Free Blog

New Threat Determined to Data Security: Photocopier Hard Drives

Reports indicate that the Federal Trade Commission (FTC) is investigating whether copier and scanner manufacturers are adequately alerting their customers as to the potential for data theft directly from the hard drive of the device.  The majority of printers, scanners, facsimile machines and copiers manufactured since 2002 are likely to have a built-in hard drive that can potentially store sensitive cardholder data.  Sensitive data includes credit card numbers, dates of birth, social security numbers and bank account information.  An image may be stored each time an employee scans, faxes or photocopies a document.  Stored images may be accessible long after scanning or copying the document.

Hackers and cyber-thieves are already aware of this vulnerability and so are likely to target these devices.  They have ways of inserting malicious software remotely that scans the hard drive of devices connected to a network and compiles data from sensitive documents.  Criminals can then sift through the information and steal personal information such as credit card and bank information that they can use for fraudulent purposes.  Even if you’ve never copied documents with credit card information, personal data such as social security numbers are also sought by hackers to be sold or used for crimes such as identity theft. 

One report claims that sensitive information regarding ongoing law enforcement investigations was recently discovered on refurbished copiers waiting to be sold as used by an accredited vendor.

Since PCI DSS requirement 3.4 dictates that credit card numbers are to be encrypted whenever or wherever they are electronically stored, a copier with a hard drive that has stored images containing credit card data is not PCI compliant.  PCI compliance is your best defense against hackers and cyber-criminals.  Check with your office equipment vendor to determine if your copiers, scanners, and fax machines are PCI compliant.  If these devices pose a PCI DSS vulnerability you must determine a compensating control (See current PCI DSS information for an explanation) to counteract it.

This entry was posted in PCI Compliance, Point-Of-Sale Equipment, Sensitive Data Storage, Wireless Technology Security. Bookmark the permalink.

Leave a Reply