Best Practices for Retiring Printers
Printers can contain a variety of private information, including copies of the documents printed or scanned. When a printer is retired it typically goes into a electronics-recycling workflow or repurposed. What happens to the printers after that is cause for concern.
When retiring a printer, consider the following checklist.
Many multifunction printers support flash-memory cards for storage and to transfer photos etc. This media may also contain scanned documents.
Ensure the printer does not have any memory cards attached. Check carefully as they are often not in obvious places. Check the documention for the location of memory card slots.
Check Email Accounts
Many printers and multifunction devices can send scanned documents or system reports to external email addresses. To do this, SMTP account information is required. Check if this has been configured. If the settings include the password for an email account, change the password for the account.
A particular risk is that it is quite common to use Gmail accounts to send emails from multifunction devices as it is easy, reliable and free. However Gmail stores all message sent via its SMTP service into the Sent folder of the mailbox. Thus the account may contain hundreds or thousands of scanned documents. If the credentials for the account leak because they can be retrieved from the device, this exposes every scanned document. Thus it is important to change the SMTP password every time a device leaves your control or delete the associated App Password.
Check File Shares
Many multifunction devices can send scanned documents to SMB (Windows file share) locations. This requires a username and password. Check the device's address book for SMB, FTP and other locations. Change the password for any accounts used to connect to these resources.
Check Cloud Services
Some multifunction devices can send scanned documents to various cloud storage services, for example Dropbox, OneDrive, Box etc. This is typically done via a token rather than a traditional username/password pair. Removing the link to the cloud service from the printer's settings may not completely invalidate the token on the cloud provider. Check the cloud provider's settings for linked devices and delete the link. For example, in Dropbox run the Security Checkup wizard. Although the password for the account is less relevant to maintain the connection between the device and the service, change the password anyway.
Check Hard Drive
Some larger or higher-end printers/multifunction devices have hard disk or solid state storage to assist with despooling and other storage tasks, where these cannot be performed wholly in the printer's RAM. This means that print jobs and scanned images will be temporarily stored on the disk and the risk exists that they can be recovered. Some printers also support the after-market addition of disk drives. Check if your device has a drive. Additionally, check if the device can initiate a wipe operation on the drive. If there is a wipe operation, it should take several hours to complete. If a “wipe” operation occurs within a few minutes it is most likely only a “format” or “initialise” operation and the data will not have been zeroed.
If the printer is being disposed of, the disk drive should be removed so it can be cleansed and destroyed separately from the printer. If the printer is being repurposed or needs to be returned under a lease/rental agreement, seek assurances from the vendor that the drive will be properly wiped. Or, if the drive can be easily removed anyway, remove it, wipe, and reinstall. The drives in these devices are normal disk drives and can be mounted into a cradle and wiped easily using Windows.
Typically printers which are connected with wifi need to be on the most permissive network so other devices are able to communicate with it. Therefore they can't be attached to “guest” networks etc. So, unfortunately, the printer contains the password for the network that needs the most protection. Remove or overwrite the wifi password from the device. This may not happen automatically on a factory reset; for example see https://psirt.canon/advisory-information/cp2023-003.
If you have the ability, change the wifi password completely when an old printer is retired to ensure that a useable password can't be retrieved from the device. This also applies if your wifi SSID does not readily identify your premises, because there are databases of wifi SSIDs which have geolocation data, and so your apparently random, vendor-created wifi name (such as WiFi-6734E9) may be linked to a location nevertheless. If your wifi identifies your business name it is even more important.
Finally, perform a factory reset on the device. This should clear out all/most networking, address book and other settings, but when complete check for any settings which remain, and remove them manually. While a factory reset does not guarentee that configuration data can't be recovered, it does reduce the risk. In any case, if you've been able to reset the passwords for various email, network and cloud accounts as above, any configuration information that can be recovered despite the factory reset won't be useful. Note that factory resets do not wipe data if the device has local storage.
Also see Wiping Kyocera Printers For Fun & Profit.