In the post about the discovered Xerox MFC configuration security issue, I alluded to frustrations with communicating with the company. Wanted to shed some light on that.
Example 1: at the local (WA office) level, seemed like there was very little concern by the VP (who CC’d in the service manager, though there was no correspondence from him), and suspected they hadn’t alerted anyone higher up the chain. On Sept 13th, after previously going through the details of what I was seeing on the incoming emails, as well as what I’d seen on my client’s MFC, received an email from the VP that said: “This has been resolved and how would we go about getting the domain back?”
My reply: “I think the easiest route is to make me a reasonable offer based on the value of the domain, time and value in alerting the company to the issues with the configuration, the potential effects of the issue with regulatory compliance for some of those clients, and I assume the taking down of the post detailing the issue. Willing to also do an NDA if requested.”
Him, and what led me to believe higher-ups hadn’t been notified of the issue: “I don’t have access to funds more than petty cash, I am not sure what you want or think is reasonable.”
So I replied: “I’ve received six scans since your email, so it does not appear the issue is resolved.
Example 5: Now we get to a series of doozies. My reply to the NDA then led to me receiving an email on Oct 10th from the Deputy Director of Xerox corporate security, CC:ing in some other folks, and stating that he would now be my single point of contact going forward. And then this: “While I believe I have an understanding of the facts, I would like to propose a meeting to review those facts and determine appropriate next steps.
I will send you some availability windows in a separate email shortly.”
Straightforward. But…not so much. That email came on a Thurs morning. Didn’t hear anything back, so emailed on the following Monday afternoon “Wanted to check back in–hadn’t received that follow up email with the availability windows.”
Did I get an email? No.
I got, on Tues afternoon, and without consult, discussion, or explanation, a calendar invite for a Zoom meeting the next morning at 8:30am. Oh, and he included in that Zoom meeting Xerox legal counsel…despite him explaining he’d be the single point of contact.
I didn’t respond. But at 8:05am that morning, he sent a cancellation.
Then that afternoon, also without consult, discussion, or explanation, sent another calendar invite for a Zoom meeting the next morning at 8am.
By Friday I was done, and decided to just walk away from the table, so to speak:
“My intent on reaching out to Xerox, from the time of the discovery until now, has been to notify the company about the issue, because I saw the potential severity of it both to Xerox and the companies affected. I presented the information in good faith.
To be completely frank, from the beginning the reaction to the issue and the communication (or non-communication) from the various Xerox contacts has been bewildering.
I still believe that the issue is a major one, and that it does not meet the Xerox Safeguarding and Using Customer Information section of the Xerox Code of Business Conduct.
But I also realize ultimately that is Xerox‘s call, and that I’ve spent far too much time and energy on this for it to be worth continuing.
With that being said, I leave you with the information about the issue and walk away from the table, not demanding or requesting anything.”
There was a response that essentially ignored the email, but then seemed to try to position himself by using the phrases “I had made several attempts” and “any of this week’s invitation”.
“This appears to be another example of the communication with Xerox that I called bewildering. Even if it wasn’t with intent, it falls in line with much of the other communication from the company.
To review:
4. Two invites does not equate to “several attempts”, or the multiple implied in “any of this week’s invitations”, and it certainly doesn’t meet the expectation you set in your original email with “some availability windows in a separate email shortly.”
I still believe that the issue is a major one, and that it does not meet the Xerox Safeguarding and Using Customer Information section of the Xerox Code of Business Conduct.
But I also realize ultimately that is Xerox‘s call, and that I’ve spent far too much time and energy on this for it to be worth continuing.
With that being said, I leave you with the information about the issue and walk away from the table, not demanding or requesting anything.”
Edit 10/21: Example 6…rather unexpected, but have been getting quite a few visits in short periods of time from Xerox offices around the country. If only this amount of time and attention were paid to the issue at hand.
Edit 11/3: Details on Example 6 above. Xerox uses, as many businesses do, Microsoft 365 for email. One thing that 365 does is that when you send emails with links, in the background it visits that link to “check” it. Those visits show up like this:
So it’s really interesting to see those continue to pop up, followed by visits from different Xerox locales across the country…when the contacts spent far less time and energy on the issue when I brought it to their attention. What’s even more interesting is some feedback I got from a former Xerox employee that they aren’t the least bit surprised by the ways they’ve communicated…seems it’s an unofficial corporate standard.
Pingback: Multifunction Printer/Scanner Security Issue Discovered