So how easy is it to obtain information or documents from these machines? I decided to do a little test of my own by going to the local FedEx Kinkos, since our office copier lacks anything “high-end.” (That is another story.) I found a higher-end digital copier machine that had scanning capabilities. My intention was to ask a FedEx Kinkos employee if the machines had hard drives embedded within their skeleton; however, I came across something that captured my interest.
I discovered that the machine had a “recall” option, where the last three items copied or scanned were made available to me! I chose one of the three, and the MFP started printing out 10 copies of what appeared to be a confidential presentation from a local company that was proposing the acquisition of a large, publicly traded company. I later checked secondary research, open-source news, and investor sites to discover that the notion of a merger or acquisition with the company in question was not even being considered, much less publicly released. This could have caused a real issue for the company involved if a “get-rich quick” trader had leveraged this information in the stock market.
I then asked one of the FedEx Kinkos employees about the hard drives allegedly installed in these machines. The employee kindly told me that these copy machines were “top-of-the-line digital MFPs, each containing 1 GB [gigabyte] of hard drive space for storage.”
When I asked how this information could be accessed, she told me that the hard drives are “easily removable” from the machines.
I then inquired about how this might place personal or corporate information at risk, and I was surprised by the response I received from her. “That is definitely an issue [internal MFP hard drives], but what gets me the most is when people come in here [to FedEx Kinkos] from area businesses and photocopy and print dozens of copies of confidential and non-public materials and then just leave extra copies laying around. I am always picking up … presentations marked ‘confidential,’ ‘do not distribute,’ or ‘internal company information — not for external distribution,’” the employee told me.
She further said, “And, it must be common knowledge that documents get left at a FedEx Kinkos because there was a guy who [used to come] in here each week to collect presentations and extra copies left on the printers or scanners. After about the fourth or fifth day, I asked him what he was doing, and he told me that he worked for — [name omitted — the company is a competitor of a Fortune 500 company in the area]. He was hired as the company’s competitive intelligence manager, and one of the first places he went to get his information was the FedEx Kinkos closest to the competitor’s facility.” My jaw nearly dropped.
This is an example of why company employees need basic awareness training about information security. Leaving confidential documents behind in public places is 100% sheer laziness. According to the Kinko’s store manager of the location I visited, “Every Kinko’s has secure shredder boxes for customers to use. We make sure that any piece of paper that goes into that box is shredded and unable to be used by a would-be identity thief or corporate intelligence agent.”
Investing in basic employee awareness training is a must to increase awareness about confidential document security. But this story is also a good reminder that annual audits of your company’s risk level for information loss can help prevent embarrassing incidents of personal customer data loss or confidential company document loss. Understanding that office equipment and devices that hold information — either temporarily or for long periods of time — can be accidentally or intentionally transferred to criminals who wish to make a quick buck is key to raising that awareness.