0

Is Personal Information Compromised in the Town of Bethel Via Leased Copier Machines?

Report by Paula Antolini, October 28, 2019, 4:49PM EDT

Board of Finance member Cynthia McCorkindale recently uncovered valuable information after her extensive research into the budget of the Town of Bethel regarding expenditures on excessive lease costs on copier machines and supplies, as reported in the local Gazette this week. This includes copier machines in municipal buildings including the Bethel Fire Departments, the Bethel Police Station and the Bethel Public Schools.

“Board of Finance member McCorkindale believes this could be the tip of an iceberg of financial insider dealings that inflate the Town budget by hundreds of thousands of dollars or more, and has begun a more detailed review of the town budget,” reads the article in the Gazette.

McCorkindale also discovered that the company supplying the alleged overpriced copiers and supplies is owned by Mr. Michael Boyle, President of BASE Technologies since 1992, “a leading provider of copiers, laser printers, document management solutions and services to clients in Connecticut and nationwide” reads their website. Boyle is also the Chairman of the Economic Development Commission.

Other very concerning factors emerged when McCorkindale realized that permission is needed from the Bethel Board of Finance for departments to purchase expensive items but not needed when those same expensive items are leased.

Of utmost concern, and what lit social media on fire recently in local online chat forums, is the security factor, allegedly that copies of all documents made on these copiers can be viewed in some way by unauthorized parties, or possibly by remote access from the seller company, BASE Technologies, who is also possibly able to access information on connected devices such as computers and laptops at all the Bethel locations mentioned above.

Did the Town of Bethel take the proper, required and necessary steps to put purchase or leasing of copier machines and supplies out to bid, for as many as 28 high-end machines alone for the Bethel Public Schools, for example, and many more copiers in other locations? Once selected, did contracts include security stipulations, or none at all? If so, who has access to all this information in Bethel, private information and otherwise, and from where is it accessed and where is it stored? What security measures pertain to where information is stored remotely or what is the security clearance for individuals that can view or access information?

This is what Cynthia McCorkindale intends on discovering further.

*****

A look at BASE Technologies website under “Is Your Data Secure 24/7?” shows that they provide numerous services for identifying and addressing possible security vulnerabilities and solutions to the data security.

The question becomes, does the Town of Bethel have all these security measures in place and are they willing to provide the documentation to the public prove that? Otherwise, who is checking to make sure no private information is accessible?

Also how can we verify the process by which ONE company was chosen to provide all the copiers and supplies to Bethel, and that person happens to be the Chairman of the Economic Development Commission?

Who decided exactly which copiers were chosen to lease, and based on what criteria? Can we get documentation on that, and if so, how quickly?

McCorkindale indicates that the style and number of same style copiers chosen is overkill and simpler less expensive copiers would have been sufficient to serve the needs of departments using them. Perhaps only a few copiers with multiple features could be located sensibly and accessed if needed, and this would be more economical rather than all copiers with useless features.

Or, like many other issues in Bethel, the town officials claim it takes weeks or months to gather information on most topics of concern, and make it seem overly complicated to retrieve. Documents concerning hundreds of thousands of dollars should not be difficult to retrieve.

*****
On Sunday, October 27, 2019, First Selectman Matthew Knickerbocker issued a statement on Facebook regarding this issue:

Dear Friends:

This has all the earmarks of a highly questionable pre-election hit piece. Readers should be advised of the following facts:

* The data quoted is incomplete. This information was only recently requested under Freedom of Information law, and much of it has not yet been turned over as it has to be retrieved from storage and sorted through. The author appears to be cherry picking data and editorializing for maximum effect.

* The only data being transmitted is the number of copies from each machine. No personal data is shared.

* Mr. Boyle, the owner of Base Technologies, has served the town on several boards and commissions over the years. At no time has he had any influence over the purchase or leasing decisions that have been made as part of open bidding as required under the town charter. There is strict ethics language in both town code and charter, and he has remained fully compliant with these laws.

Thank you.

Knickerbocker also added:

Let me add that when all the documents are available for review, they will show that every agreement was part of a public bidding process that was open to all vendors. The purchase decisions were made not only on the basis of cost, but also speed of service when machines break down and brand reliability.

Again, this is clearly politically motivated, and in my opinion unprofessional for any “news” website [Bethel Community Gazette] to publish as anything other than a personal editorial.

*****

The Federal Trade Commission (FTC) Protecting America’s Consumers website lists information regarding “Digital Copier Data Security: A Guide for Businesses.” They state:

“Does your company keep sensitive data — Social Security numbers, credit reports, account numbers, health records, or business secrets? If so, then you’ve probably instituted safeguards to protect that information. Your information security plans also should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands, it could lead to fraud and identity theft.”

Digital Copiers are Computers

Today’s generation of networked multifunction devices — known as “digital copiers” — are “smart” machines that are used for more than just copying; they can do everything from copying, printing, scanning, faxing to emailing documents. Digital copiers require hard disk drives to manage incoming jobs and workloads, and to increase the speed of production.

The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes or emails. If you don’t take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extracting the data once the drive has been removed.

The Life-Cycle of a Copier

Digital copiers often are leased, returned, and then leased again or sold. It’s important to know how to secure data that may be retained on a digital copier hard drive, and what to do with a hard drive when you return a leased copier or dispose of one you own.

It’s wise to build in data security for each stage of your digital copier’s life-cycle: when you plan to acquire a device, when you buy or lease, while you use it, and when you turn it in or dispose of it.

Before you acquire a copier:

Make sure it’s included in your organization’s information security policies. Copiers should be managed and maintained by your organization’s IT staff. Employees who have expertise and responsibility for securing your computers and servers also should have responsibility for securing data stored on your digital copiers.  Consider how your digital copier will need to be configured to comply with your organization’s information security.  Copiers may have multiple network connections, including wifi, that will need to be secured like other wifi capable devices in your network.

When you buy or lease a digital copier:

Evaluate your options for securing the data on the device. Most manufacturers offer data security features with their digital copiers, either as standard equipment or as optional add-on kits. Typically, these features involve encryption and overwriting.

Encryption scrambles the data on the hard drive so it can be read only by particular software. Digital copiers that offer encryption encode the data stored on the hard drive so that it cannot be retrieved even if the hard drive is removed from the machine.

Overwriting — also known as file wiping or shredding — changes the values of the bits on the disk that make up a file by overwriting existing data with random characters. By overwriting the disk space that the file occupied, its traces are removed, and the file can’t be reconstructed as easily.

Depending on the copier, the overwriting feature may allow a user to overwrite after every job run, periodically to clean out the memory, or on a preset schedule. Users may be able to set the number of times data is overwritten — generally, the more times the data is overwritten, the safer it is from being retrieved. However, for speed and convenience, some printers let you save documents (for example, a personnel leave slip) and print them straight from the printer hard drive without having to retrieve the file from your computer. For copiers that offer this feature, the memory is not overwritten with the rest of the memory. Users should be aware that these documents are still available.

Overwriting is different from deleting or reformatting. Deleting data or reformatting the hard drive doesn’t actually alter or remove the data, but rather alters how the hard drive finds the data and combines it to make files: The data remains and may be recovered through a variety of utility software programs.

Yet another layer of security that can be added involves the ability to lock the hard drives using a passcode; this means that the data is protected, even if the drive is removed from the machine.

Finally, think ahead to how you will dispose of the data that accumulates on the copier over time. Check that your lease contract or purchase agreement states that your company will retain ownership of all hard drives at end-of-life, or that the company providing the copier will overwrite the hard drive.

When you use the copier:

Take advantage of all its security features. Securely overwrite the entire hard drive at least once a month.

If your current device doesn’t have security features, think about how you will integrate the next device you lease or purchase into your information security plans. Plan now for how you will dispose of the copier securely. For example, you may want to consider placing a sticker or placard on the machine that says: “Warning: this copier uses a hard drive that must be physically destroyed before turn-in or disposal.” This will inform users of the security issues, and remind them of the appropriate procedures when the machine reaches the end of its usable life.

In addition, your organization’s IT staff should make sure digital copiers connected to your network are securely integrated. Just like computers and servers that store sensitive information, networked copiers should be protected against outside intrusions and attacks.

Use authentication at the device. In other words, require a password, card swipe, biometric information, or other authentication when physically accessing the device.

Consider using “pull printing” ― which is sometimes called “walk-up printing” and “release printing” – if your digital copier manufacturer offers it.  Pull printing is software that stores documents you intend to print, but before the job will print, the user must supply proof of his or her identity.  

You can also use software to create rules to manage print jobs. Use these print rules to restrict access to certain printers and to provide audit trails to help determine culpability in the event of a breach.

Change the default network password.

When you finish using the copier:

Check with the manufacturer, dealer, or servicing company for options on securing the hard drive. The company may offer services that will remove the hard drive and return it to you, so you can keep it, dispose of it, or destroy it yourself. Others may overwrite the hard drive for you. Typically, these services involve an additional fee, though you may be able to negotiate for a lower cost if you are leasing or buying a new machine.

One cautionary note about removing a hard drive from a digital copier on your own: hard drives in digital copiers often include required firmware that enables the device to operate. Removing and destroying the hard drive without being able to replace the firmware can render the machine inoperable, which may present problems if you lease the device. Also, hard drives aren’t always easy to find, and some devices may have more than one. Generally, it is advisable to work with skilled technicians rather than to remove the hard drive on your own.

###