Thursday, August 07, 2008

When Hardware Leasers Try to Kill You

Following on from my other "when xxx tries to kill you" posts, here's a beauty which just happened to us.

Our company leased a multi-function device from a large brand-name company (who shall remain unnamed) and the device worked very well for about a year.

During that year we used the device as a colour photocopier, printer and scanner. It had some other brilliant capabilities too, like the ability to OCR a word document and scan things to JPEG or PDF.

It could save files on our network shares and could send those files as emails to us both internally and externally via the domino server. It even hooked into our Domino LDAP nicely allowing us to lookup any email address that was in our address books.

After about a year, we decided that the device was so good, that we would upgrade to the next model - in fact, that we'd get two of the next model and that we'd be using the device as a fax as well.

So the large corporation turned up and swapped out our old devices for new ones and everything has been going well for the past year.

Then, out of the blue, we started getting emails to suggest the machine needed paper. The emails were from a different email address, a different company - even a different company. Nevertheless, they were addressed to our internal administration groups for the copiers.

I used the web to look up and contact the company responsible and they confirmed that indeed, they had run out of paper in the last ten minutes. It seems that they had our old machine but hadn't wiped it.

I then contacted the large manufacturer/retailer who originally leased the equipment to us. At first they weren't particularly concerned (or interested) but then I stated that it was a legal matter and that the configuration still had ip addresses of our servers and passwords.

Sure, our firewall would protect us - unless they hacked the VPN (unlikely) or came onsite (also unlikely) but the fact remains that the device had not been wiped and that it contained system information which may or may not have been encrypted - depending on how these systems store it.

The retailer then played hand-me-around with it's management people for a little while and then they told me that they'd sold the device to another company who had then re-sold the device to it's current owners. They therefore had no right to ask the current owners to remove out settings from the device.

It's with our legal people now but the moral of this story is...

Don't let ANY equipment which may have corporate data on it leave your office without completly erasing it first - even if it's only going for repairs.

No comments: