Scanner error: NC State checks turn up in Charlottesville
Anson Parker made a New Year's resolution: To let North Carolina State University know that the scanner he bought on eBay contained copies of thousands of checks written to the school in Raleigh.
"It was millions of dollars in checks," says Parker, with bank account numbers and signatures, and some with Social Security and drivers license numbers.
Parker, who works at the Claude Moore Health Sciences library, had purchased the Canon scanner for $500 on eBay to use in his archival work, and he estimates it would have cost around $5,000 new. "It's a neat little scanner," he says.
How hard was it to discover the cache of check copies?
"It was real hard," deadpans Parker. "I had to plug it in, and it said, would you like to look at archived files?"
And when he found checks– one for $500,000– the implications of what he was sitting on alarmed him.
"Holy smokes," says Parker, who contacted the University and the North Carolina Department of Justice and didn't feel like his information was taken very seriously until January 6, when he got a phone call from his mother, who was contacted by investigators.
"I was ballistic," says Parker. "I'm 34 years old, and they call my mother? That was completely insensitive."
"This was taken very seriously," says NC State spokesman Brad Bohlander. "We received an email January 3 about a scanner from NC State and immediately opened a police investigation." The university contacted the State Bureau of Investigation, he says.
The phone call to Parker's mom, says Bohlander, was to confirm Parker's identity because the correspondence had been by email. "They were trying to verify his claim– that it's a real person and not identity theft," explains Bohlander.
"That's pitiful," says Parker, who notes he's easily found on Google with his LinkedIn profile showing he works at UVA. "They said they couldn't find me? Are you serious? They don't know about Google?"
He says he wanted to Skype with NC State officials to have a recording of the proceedings, and they declined.
As for the scanner, Bohlander reveals that it had been used in the University cashier's office to copy and endorse incoming checks from June 2004 until April 2006, when it was surplused.
"The staff followed the surplus protocol at the time before it was understood that copiers and this kind of scanner held information in its memory," says Bohlander, referring to a 2010 CBS News story that revealed how digital copiers were loaded with information.
"We certainly apologize this information got out," he says. "We are alerting the people affected."
Sharon Morris of Raleigh is one of those people. Her check for $278.86 was copied to the machine's memory in May 2005. "That concerns me," she tells a reporter. "I don't like the idea of my information floating around."
Morris attended NC State, as did her husband and son, and her daughter went to summer school there. "We've written a lot of checks to NC State," she points out.
"It just makes me want to pull my hair out," says Henrietta Timmons, another Raleigh resident whose check for $876 still resides on the scanner's hard drive. "I don't understand why an institution with the reputation of NC State in engineering and computer programming wouldn't know about this. This isn't ABC Company down the road with 50 employees. This is NC State," she declares.
[Disclosure: This reporter discovered a check on the scanner written by her nephew, who is a NCSU graduate.]
Even experts like John Juntunen, who appeared in the CBS News investigation and whose Digital Copier Security in California scrubs copiers, says, "I don't know of any scanners that have hard drives." But, he advises, "If it's got a hard drive in it, it's got to be taken out and cleaned."
Some dealers and manufacturers tell people getting rid of copiers that it's not possible to retrieve information. "That's a lie," says Juntunen.
Canon, the manufacturer of the CD4050N that held the NC State check copies, did not respond to emailed requests from the Hook.
Despite Homeland Security or HIPAA privacy regulations that require it, says Juntunen, the typical cost of $400 to scrub a copier hard drive can present a financial hardship to a business ridding itself of excess equipment. And these surplus machines can sit in warehouses for months before being shipped overseas– or sold on eBay. Juntunen estimates that half to three-quarters of all surplused copiers are not cleaned.
"Nobody's getting fined," Juntunen observes.
The potentially sensitive information on unscrubbed machines, says Juntunen, can roar back to life even if it sits in a warehouse for years or heads overseas. "There's no statute of limitations on a breach," says Juntunen.
So how sensitive are copies of thousands of checks?
Like lists of credit card numbers, a list of checks from businesses would be "very good to a criminal," says Tom Lekan with Atlantis Security Management Consultants. "What you have on a check is potentially valuable information to create scams or schemes," says Lekan. "The more valuable information is when you see a check from a commercial entity for a large amount of money."
At the top of the list of info most prized by identity thieves, says Lekan, are databases from places like the military or colleges, with names, Social Security numbers, and dates of birth.
"That's the mother lode in the criminal world," he says. "And it lives on in perpetuity."
And that's the kind of breach that occurred at UVA in 2007, when the university discovered hackers had gotten access to the records of 5,735 faculty members. UVA notified all victims, and they were given free credit monitoring for a year.
"A few individuals affected by the incident reported that their personal information was used to commit identity theft," says UVA spokeswoman Carol Wood in an email.
Because there are so many data breaches reported every year– an estimated 79 million records compromised in the U.S. in 2007– "it is often impossible to trace one identity theft case to a specific breach," says Wood.
"It's more likely if they were victims of identity theft, it came from that breach," opines Lekan, who says such lists are sold and resold.
Down in Raleigh, administrators at NC State are happy to have the sensitive scanner back. "We're appreciative [Parker] informed us and gave it back," says spokesman Bohlander.
As for Parker, "It's such a relief to have that thing gone," he says after his Downtown Mall meeting with NC State police officers. But he's still not happy about his mother being called.
"You can't apologize?" he wonders aloud in the direction of North Carolina.
–edited slightly on Tuesday, January 17