What happens when PII is left on an MFD?

Naima Hassen

Staff are generally expected to use company equipment such as scanners, printers and even fax machines for exclusively work-related activities; however, that might not always be the case. I’ve been guilty of using staff equipment for personal reasons such as scanning government documents or printing out things for myself and even family members because who doesn’t love free printing! But recently I’ve been thinking about how secure are these multifunctional devices, not only in our work environment but also in public libraries and universities?

The most recent and concerning observation is the exposure of documents that have gone through these multifunctional devices. Imagine scanning a document that may or may not be work/uni-related- and in the case of many, not work/uni-related; and seeing that anyone on the same network can see what you’ve sent through this multifunctional device. This can occur in transit (files being sent a clear text via SMTP or SMB, and captured through a simple intercept) or stored locally. This should be a concern in any environment, whether it be work, public libraries, shared offices or educational institutions.

So how do we prevent the disclosure of these documents?

Appropriate policies and procedures should be put in place that addresses the disposal procedures for the equipment and protects the sensitive data that the multifunctional devices handle. This can include the following:

  • Incorporating a method to erase the hard disk between jobs such as the job timeout value.
  • Unnecessary protocols and services create unnecessary vulnerabilities so disable unneeded protocols and services.
  • You would not believe how common we’ve seen the use of default credentials on any product, so it’s always good to change default admin credentials.
  • Restrict network access to the printer and its adjacent network. This is generally done by securely configuring the VLAN/ Virtual LAN.

Relying on individual users managing their systems in this instance is ineffective; whether it’s apathy or even having a bad day, users are going to be lazy or make mistakes. Technology should be there to pick up the slack, not policy or procedures.

Incorporating these few steps in your organisation can reduce the number of vulnerabilities present. And if you ever think about printing/ scanning something, it’s good to assume that maybe someone else on the same network can see what you are doing.

--

--

Mercury ISS

Mercury Information Security Services are a leading provider of information security services, advice and consulting.