Scanner error: NC State checks turn up in Charlottesville

Anson Parker made a New Year's resolution: To let North Carolina State University know that the scanner he bought on eBay contained copies of thousands of checks written to the school in Raleigh.

"It was millions of dollars in checks," says Parker, with bank account numbers and signatures, and some with Social Security and drivers license numbers.

Parker, who works at the Claude Moore Health Sciences library, had purchased the Canon scanner for $500 on eBay to use in his archival work, and he estimates it would have cost around $5,000 new. "It's a neat little scanner," he says.

How hard was it to discover the cache of check copies?

"It was real hard," deadpans Parker. "I had to plug it in, and it said, would you like to look at archived files?"

And when he found checks– one for $500,000– the implications of what he was sitting on alarmed him.

"Holy smokes," says Parker, who contacted the University and the North Carolina Department of Justice and didn't feel like his information was taken very seriously until January 6, when he got a phone call from his mother, who was contacted by investigators.

"I was ballistic," says Parker. "I'm 34 years old, and they call my mother? That was completely insensitive."

"This was taken very seriously," says NC State spokesman Brad Bohlander. "We received an email January 3 about a scanner from NC State and immediately opened a police investigation." The university contacted the State Bureau of Investigation, he says.

The phone call to Parker's mom, says Bohlander, was to confirm Parker's identity because the correspondence had been by email. "They were trying to verify his claim– that it's a real person and not identity theft," explains Bohlander.

"That's pitiful," says Parker, who notes he's easily found on Google with his LinkedIn profile showing he works at UVA. "They said they couldn't find me? Are you serious? They don't know about Google?" 

He says he wanted to Skype with NC State officials to have a recording of the proceedings, and they declined.

As for the scanner, Bohlander reveals that it had been used in the University cashier's office to copy and endorse incoming checks from June 2004 until April 2006, when it was surplused.

"The staff followed the surplus protocol at the time before it was understood that copiers and this kind of scanner held information in its memory," says Bohlander, referring to a 2010 CBS News story that revealed how digital copiers were loaded with information.

"We certainly apologize this information got out," he says. "We are alerting the people affected."

Sharon Morris of Raleigh is one of those people. Her check for $278.86 was copied to the machine's memory in May 2005. "That concerns me," she tells a reporter. "I don't like the idea of my information floating around."

Morris attended NC State, as did her husband and son, and her daughter went to summer school there. "We've written a lot of checks to NC State," she points out.

"It just makes me want to pull my hair out," says Henrietta Timmons, another Raleigh resident whose check for $876 still resides on the scanner's hard drive. "I don't understand why an institution with the reputation of NC State in engineering and computer programming wouldn't know about this. This isn't ABC Company down the road with 50 employees. This is NC State," she declares.

[Disclosure: This reporter discovered a check on the scanner written by her nephew, who is a NCSU graduate.]

Even experts like John Juntunen, who appeared in the CBS News investigation and whose Digital Copier Security in California scrubs copiers, says, "I don't know of any scanners that have  hard drives." But, he advises, "If it's got a hard drive in it, it's got to be taken out and cleaned."

Some dealers and manufacturers tell people getting rid of copiers that it's not possible to retrieve information. "That's a lie," says Juntunen.

Canon, the manufacturer of the CD4050N that held the NC State check copies, did not respond to emailed requests from the Hook.

Despite Homeland Security or HIPAA privacy regulations that require it, says Juntunen, the typical cost of $400 to scrub a copier hard drive can present a financial hardship to a business ridding itself of excess equipment. And these surplus machines can sit in warehouses for months before being shipped overseas– or sold on eBay. Juntunen estimates that half to three-quarters of all surplused copiers are not cleaned.

"Nobody's getting fined," Juntunen observes.

The potentially sensitive information on unscrubbed machines, says Juntunen, can roar back to life even if it sits in a warehouse for years or heads overseas. "There's no statute of limitations on a breach," says Juntunen.

So how sensitive are copies of thousands of checks?

Like lists of credit card numbers, a list of checks from businesses would be "very good to a criminal," says Tom Lekan with Atlantis Security Management Consultants. "What you have on a check is potentially valuable information to create scams or schemes," says Lekan. "The more valuable information is when you see a check from a commercial entity for a large amount of money."

At the top of the list of info most prized by identity thieves, says Lekan, are databases from places like the military or colleges, with names, Social Security numbers, and dates of birth.

"That's the mother lode in the criminal world," he says. "And it lives on in perpetuity."

And that's the kind of breach that occurred at UVA in 2007, when the university discovered hackers had gotten access to the records of 5,735 faculty members. UVA notified all victims, and they were given free credit monitoring for a year.

"A few individuals affected by the incident reported that their personal information was used to commit identity theft," says UVA spokeswoman Carol Wood in an email.

Because there are so many data breaches reported every year– an estimated 79 million records compromised in the U.S. in 2007– "it is often impossible to trace one identity theft case to a specific breach," says Wood.

"It's more likely if they were victims of identity theft, it came from that breach," opines Lekan, who says such lists are sold and resold.

Down in Raleigh, administrators at NC State are happy to have the sensitive scanner back. "We're appreciative [Parker] informed us and gave it back," says spokesman Bohlander.

As for Parker, "It's such a relief to have that thing gone," he says after his Downtown Mall meeting with NC State police officers. But he's still not happy about his mother being called.

"You can't apologize?" he wonders aloud in the direction of North Carolina.

–edited slightly on Tuesday, January 17


I'm glad this guy got this obviously much needed attention.

Deleted by moderator.

Meanwhile, it's not about this guy.

A lot of people should be thankful this scanner didn't end up in Nigeria.

I know right?

GSOE- what makes you think the info has not ended up in Nigeria? The guy bought it off eBay.............

Nice try, Hook, but this won't be your "millions of records of information leaked onto the internet" scoop, now will it? This is a non-story and, one wonders, how this little lib drinking covered coffee at some local pretentious coffee place disseminated the information to the media? And now he wants an apology for NC calling his mum? Are you sure there is not a typo in here...perhaps he is 3.4 years old and not 34. Ugh!
R.I.P.: Little Brutus

SkipD, I have never known anybody in Nigeria to pay for anything from any source. They attempt to scam merchandise. So I doubt anything ended up in Nigeria.

Agreed, the story isn't about me, and it's not about the checks particularly, although there's probably no telling where all the copies of the data are. The fact is the only reason you're reading this is because both the NC Dept of Justice and NC State police refused to communicate over authenticated lines such as email or skype, and I refuse to talk to authorities "off-the-record." I know better than to trust people when cash of that amount is involved - everything needs to be on the record. And yes, you call my mother up and get her nervous - I will go ballistic. Call it childish, call it whatever you'd like but under the circumstances I took it as a threat like "Hey - we know who your family is" - and so yes, I'm smiling in these pictures because getting to dish back on a bunch of lying incompetent cops takes the edge off - anyhow - everyone's got an opinion, that's mine :)

Thanks Anson for putting this story out where the public can see it. I talked to my accountant and he was unaware that scanners can retain data, and think of all the info on his old scanners. We all need to be far more educated about privacy matters than we are, and this helps. And I appreciate the service the Hook is doing by publishing the story.

Anson, the last statement--your rationale for smiling in the photo--speaks volumes. Not sure where the "lying cops" angle comes in. They say that they received an email on 1/3/12 and called your mum on 1/6/12; three days. Seems logical to me for them to initiate an investigation and then try to contact people other than the main suspect (which, since you sent the email, you would be) who only communicated to them via email.
Similarly, I am not surprised by The Hook to run the story angled as it was.
I am not naive enough to think that large institutions--including the one from where you take a paycheck and benefits--are hard-wired to deny, cover up, minimize and sanitize. (Wow, I am rhyming like Jesse Jackson here!) I am also not so naive to think that the press is one of those large institutions. I just don't see that much of a cover up or conspiracy of lies here.
R.I.P.: Dr. Winston O'Boogie

BTW, thanks for the link to Anson's story from 2004. I am glad to see Hook reporters (Provence) had spelling errors back then too. If you're going to refer a pop culture icon, it is "surfer Jeff Spicoli," not "Spicolo." But if you're gonna try to be hipper than thou, then do it right.
R.I.P.: Doug Fieger

Oops, so sorry...C. Stuart was the cub reporter in 2004. Not Lisa Provence. Sometimes, in our effort to get critical news stories to the public as rapidly as possible, our web writers commit errors. We do our best to find those and correct them. Sometimes they slip through.
--Jim Hanchett, Newsplex
R.I.P.: Bill "Cowboy" Flett

You're right liberalace, they're either lying or grossly incompetent. I suspect lying because they told me they were contacting my family to see whether it was in fact me who had written them and because they said that they could not find my phone number. My first email to the Dept of Justice was from a registered UVA email (on Jan 1st for the record) and getting my number takes ~2-3 minutes depending on your skill with google. Furthermore it would have been a lot easier to have just gotten on skype and used a nice video line as I suggested.

On the other hand, and you're correct here again, why would they need to contact other people unless I was being treated as a suspect? And indeed I was being treated as a suspect... but why? All I did was cooperate to the best of my ability within reason. I came to them, offered their machine back, and I'm being treated as a suspect? It made me incredibly nervous - like "hey - these guys may try to pin their mistakes on me..." which is the primary reason I wanted to keep everything on the record to begin with.

Again, the story is not the checks, and has nothing to do with me - what is the case is that these people really don't seem to have a grip on technology or manners. I had initially offered a grace period to them - suggesting that they prepare a response before going to the media. I was trying pretty hard to be generous and allowing of what seemed to me like a small mistake - something anyone could do on a bad day. "Don't blame the secretaries" was the closing line in my opening email. I really hoped that no one would get in any real trouble from this and that everyone would learn a good lesson. In spite of a fairly generous attitude on my part I was treated very rudely and unprofessionally, and yes, I think an apology is a reasonable thing to ask.

My comment was deleted. But to clean it up, he looks "silly" with the thumbs up sign, and typewriter sitting there on the table, that he lugged around. I don't believe his story either. He's being too private, perhaps the real story is how he really got the scanner.

Thanks for the picture also. This is going to be a nice discussion on social media websites. Take care!

Kudos to The Hook for taking on this big story and kudos to the guy for his scrupulous actions. This is likely the worst security leak by any institution in the US in the past decade. I won't be surprised if North Carolina State University does not try to wiggle out of this egregiously negligent situation which they entirely due to their negligence. I hope some lawyer gets a hold of the story because I'm sure there is a huge class action lawsuit here.

There is a reason check fraud is a Federal crime. North Carolina State University I'm sure will visited by the Feds and should be fined big-time! Thank goodness this guy did his civil duty and did not sell the checks to the black market. I'm sure that personal information is worth millions.

Initially, in any investigation--sans other evidence--the person who discovers the crime will be eliminated right away as evidence warrants. They say they received the email on 1/3, and contacted your mum on 1/6. This was not a high profile case say, like a murder where they need to jump on it same day and begin an all out investigation. They got the email, maybe even researched it a bit for a day or two (did you provide them with the serial number of the printer/scanner?), then began phone calls. Sure, you honestly contacted them to be proactive but--and you should know better--large institutions are going to be "slow-active" unless there is some overwhelming reason not to be.
A few other points/questions:
1. If the story is not about you, then why the staged picture in The Hook?
2. Did you buy the copier to do UVa Library work on it? If yes, did you pay your own money for it? If you were going to do official University work on it, you could have approached UVa and gotten some opinions. Heck, if it is the norm for archivists in UVa libraries to use their own equipment to archive university property (files, literature, etc.), then UVa might even have covered your butt when you went to authorities (to make sure you were not treated unfairly or blamed). It is one state university dealing with another state school.
3. I do not see how you were treated anything but institutionally. The same way your employer would likely treat me if the situation were reversed. I do not see the "rudeness" in here. I do not see lying either. I do not see any "gross" incompetence either..just normal bureaucracy at work.
4. How old is your mum? The article paints it like she is some elderly wallflower who wilted in fear when "The Man" called her. I suspect she is a late-50s/early-60s woman who is strong enough to calmly call you and mention that authorities called her. "What's going on Anson?" "Well, Mom, a computer I use at work to scan documents was bought from NC State. Apparently, it had leftover scanned files from them that contained private information. They are trying to get to the bottom of it and want to verify my identity as part of the checkup on all users of that printer." You know, something like that.

Anyways, homeboy, welcome to the real world. Not sure where you been since you graduated college, but that is how things work.

BTW, I always thought "identity theft" was a poor name. "PIPPING" would be a better term: Personal Information Pilferage."

R.I.P.: Tony Conigliaro

Broomdust -- Huh? You're focusing on the photo and putting down a person in the photo based on the photo? Guess the story itself was way over your head (being broomdust and all)

The handle "Liberalace" claims to be Jim Hanchett of Newsplex. I'm sure the claim is a farse because I can't imagine a career news guy being so ill mannered and off base and attacking a citizen for going public with such important information.

The story is about a huge security leak, a negligent monolithic institution, and a citizen trying hard to do the right thing. I've connected with the source and Anson Parker is right on. His information is dead on and, for the sake of 10's of thousands of good folks who trusted North Carolina State University with their financial information, I hope NC State does the right thing and informs all 12,000 check owners and follows due process.

Important news. Thanks Hook.

The story was shabby as well. The picture made the whole story seem like such a joke. How can you take him serious? Why should the authories have taken him seriously? I certainly don't. The real story is perhaps, how he really gained the scanner.

Yeah, broomdust, there are people who are hard to take seriously, like people who are broomdust. What's your personal issue, here, as you obviously have one? Did you get outbid on ebay?

You are obviously a little out of touch with reality if you think the authorities are going to conduct a police interview/investigation over Skype...

However, good on you for contacting the institution and handling that portion of the situation like a sensible and responsible adult...

PS: Nice picture...

They should have paid him $500 for the scanner (what he paid for it) and mileage for taking it to them. (And maybe they did and I missed that in a quick scan of the story)

Liberalace, you can't imagine where the "lying incompetent cops" angle comes into play? I can. This new breed of Gestapo rookies that police departments have been hiring for the last 15 years made the bed for law enforcement, now they ALL have to sleep in this same bed.

30 years ago the public believed in and trusted cops. But now 50% of the public wouldn't trust 'em as far as they cansee them. And with each new report of a crooked lying cop in the media, the percentage steadily rises in my opinion.

Jim Hanchett, Liberalace wasn't claiming to be you????

He/she quoted you from a Newsplex story. That is why your name appears at the end of the quote.


Did they at least pay you back for the scanner? Don't worry, it'll be on Craigslist soon. That is all.

I'm whats left behind lingering once the real trash has been discarded. Catch me and my gang of dustbunnies if you can.

@ broomdust

"The real story is perhaps, how he really gained the scanner."

Na, I think the real story is a not-so-subtle advertisement for Mudhouse coffee.

mmmmmmmm, Mudhouse coffee....

Thumbs up!

GSOE, I am not debating the cop thing. It just was not demonstrated clearly in this story, and I have a sensitivity to people in the media throwing the word "lying" around lightly. Truth is, I fall on the side that this was not that big a story. But that's a debate for a school of journalism.
Now, as far as the Hanchett thing goes, "Jim Hanchett...NOT" should actually be accused of posing has Hanchett; I notice he spelled "farce" incorrectly as "farse." That's a dead giveaway.
I thought one of the more telling parts of the story was the accountant who claimed "not to know that scanners held scanned documents in a drive." If you take him/her at word, we can assume many accountants around the country do not know this. Then who is counseling them on data security? Much scarier to me.
One final note, what is that thing coming down Huja's face, below the chin and up the other side that looks remarkably like one of those little firework charcoal snakes we use to light up so it would sizzle, smoke and turn to ashes?
R.I.P.: Dazzy Vance

Liberalace, if you're not going to debate whether lying incompetent cops exist ot not, my job is done in this particular discussion.

I think that stuff on Huja's face is his beard. It is pulled up around his head and glued to his hair. Or something like that. I am not an expert on the various religions worldwide, but I think his prohibits cutting facial hair and the hair on his head.