There was a printer (the big, one cubic meter, enterprise type) in a sensitive air-gaped network that was not used anymore, and there was a plan to reuse it on the main network.
It was nearly installed when I saw it and mentioned that these things have hard drives in them to my Security Officer over a coffee.
It was promptly removed after that.
This organization was quite conscientious about this kind of stuff, every disks was labeled, regularly inventoried and crushed in presence of the Security Officer when not used anymore.
But these printers can easily be mismanaged as people don't realize they are basically computers that see tons of information.
In some cases, mostly governmental stuff, you can be personally liable if you misplace accidentally documents or other sensitive pieces of information (like a spending a few years in prison).
> As for Affinity Health Plan, they issued a statement that said, in part, "we are taking the necessary steps to ensure that none of our customers' personal information remains on other previously leased copiers, and that no personal information will be released inadvertently in the future."
For comparison, per https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf - "As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals."
Of course, any single breach of a copier would be limited to the individuals whose documents touched that copier, and might come under this threshold. Affinity is not on the list at the moment - this may be because the news only just broke.
But do the regulatory bodies say "Affinity, you were found to not have a procedure for properly disposing of copiers, so we need to assume that you've leaked health information from EVERY disposed copier historically?" Only then would it be treated with the same seriousness that e.g. HIPAA-compliant SaaS services are expected to treat security. Just because copier hard drives aren't networked software doesn't mean that they don't have network-scale security problems.
"Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives."
Now on an office copier, of course they do that. But that's what the target here is.
If you have a printer, it likely puts the yellow dots on it.
Storing the images isn't a bug, it's a feature.
These hard drives should be pulled and re-purposed internally for sensitive information in data centers (to reduce waste), and if they can't be, they should be physically destroyed. (US government agencies shred or melt drives).
Ideally, copier companies should (if they insist on not removing the drives) encrypt them by default. That way when you "wipe" the copier for sale, it just deletes the encryption key from flash memory. Then the bar for data recovery becomes incredibly difficult and you don't have to waste the drive.
On the other hand, deleting flash memory is very difficult because the controller doesn’t really do what you ask it to do.
That's great, that means we can store 100's of times more data on the drives than we do!
This isn't true - if it was, hard drive companies would use that space to store primary data, increasing the capacity of their drives by hundreds of times compared to the competition.
Last I knew, most HP network printers still have SNMP enabled by default (with the default "public" and "private" community strings as well) and many (most?) also have exposed web interfaces and the default credentials often are not changed.
Even relatively competent tech people don't realize they can get "pwned" via their printers.
Printing: They spool print jobs to their hard drive before printing.
Scanning: They create temporary image files for ocr and pdf conversion. These files then need to be emailed to a user or sent via a file server.
Photocopying: Temporary image files are also created. Photocopying on a digital copier is effectively a scan then print operation.
this makes no sense no matter how many one line hand-waves you make
2. Since now your copier/printer/scanner/fax/coffee machine has a 500 GB in it, what are other ways we can take advantage of that space? Save a copy of every printed document ("for compliance"), e-mail documents straight to the end user, dump scanned documents (PDFs) straight into a network share (or run such a share on the device itself), cost accounting (by user or department or ...), "hold" printed documents in the queue until the user actually shows up at the printer to retrieve their print job (they can quickly/easily "release" it -- prevents other users from inadvertantly seeing documents they shouldn't), and ...
Off-topic edit: Right after I wrote this comment, I remembered how years ago it was possible to "bounce" TCP connections off of HP JetDirect devices. I had a cow-orker that was overly paranoid and always had a terminal window open tailing the logs on his workstation. The look on his face and his bewilderment as be watched his PC slowly being port scanned by a 10-year-old printer in a building 60 miles away (but still within our network) was absolutely hilarious.
Edit: At one of my jobs I had a coworker that put a program he wrote himself on my computer that slowly ate up cpu cycles until the machine seized up and froze. I always carefully locked my machine and out of "paranoia" I had usb autoplay disabled. That was long before this became standard practice in the workplace. He got it onto my computer remotely by exploiting a zero day flaw he had read about in the vmware driver at the time. Which I was using to get actual work done while he was sitting idly by. He thought it was hilarious. I was let go about a month later when I completed all of my tasks ahead of the delivery date. He ended up getting promoted to a senior position by accomplishing nothing and playing pranks.
At another job, some coworkers impersonated my boss by signing up for a google account with his real name and using that to register to the internal business chat system which apparently allowed that. And, then used it to yell at me with profanity that I wasn't working hard. It led to me writing a polite email to my actual boss stating that I was working hard and the profanity wasn't professional or appreciated. I ended up getting terminated over it. They're still there.
I'm sorry if my English isn't that great, but what does it mean to "ork"?
[Usenet] n. fortuitous typo for co-worker, widely used in Usenet, with perhaps a hint that orking cows is illegal. This term was popularized by Scott Adams (the creator of Dilbert) but seems to have originated earlier in a 1997 ScaryDevilMonastery.
They can usually choose to store the documents unless their allocated space is full; sometimes after 15 or 30 days the old documents are deleted. Of course, if you just unplugged a system and got rid of it, the "delete after 30 days" code would never be run.
I have the feeling that these aren't true harddrives and more likely some type of flash memory. The flaw is that the copiers are probably programmed to managed the memory like a massive ring buffer in order to make things like managing page order easier.
2. It's not hand-waving, that's how file systems work.
The real question should be "why do all photocopiers not come with a command that will erase all data on the internal hard drive? along with instructions telling the purchaser to execute it when they sell or trash the device"
I find this concept quite disturbing. Imagine how many times in your life you hand over your passport or driver's license for identity validation, someone copies it 'for their records' and you assume the paper copy is destroyed after a while (last time I hired some expensive tools, this happened, but the company gave me the photocopy back when I returned them). Now your private data is sitting on that company's photocopier, probably without anyone having a clue it's made a digital copy as well as a hard copy, and nobody has a hope of controlling it.
I struggle to see a legitimate reason for the existence of such a 'feature'.
Of course the programmer writing the code did not consider all those "undelete" utilities that exist to "undo an unlink(filename) operation" and how they might just be used to recover the files.
Almost all modern copiers employ some kind of Disk Encryption so this issue has largely been resolved.