Examples of the Xerox Communication Issues

Posted on by

In the post about the discovered Xerox MFC configuration security issue, I alluded to frustrations with communicating with the company. Wanted to shed some light on that.

Example 1: at the local (WA office) level, seemed like there was very little concern by the VP (who CC’d in the service manager, though there was no correspondence from him), and suspected they hadn’t alerted anyone higher up the chain. On Sept 13th, after previously going through the details of what I was seeing on the incoming emails, as well as what I’d seen on my client’s MFC, received an email from the VP that said: “This has been resolved and how would we go about getting the domain back?”

My reply: “I think the easiest route is to make me a reasonable offer based on the value of the domain, time and value in alerting the company to the issues with the configuration, the potential effects of the issue with regulatory compliance for some of those clients, and I assume the taking down of the post detailing the issue. Willing to also do an NDA if requested.”

Him, and what led me to believe higher-ups hadn’t been notified of the issue: “I don’t have access to funds more than petty cash, I am not sure what you want or think is reasonable.”

So I replied: “I’ve received six scans since your email, so it does not appear the issue is resolved.

As for the domain, I would have assumed given the potential risk and security concerns that this issue would have been taken up the chain of command. I would highly suggest that be done. Discuss with your associates and let me know your offer. “
Which then led to me receiving a call two days later from an SVP in CA.
Example 2: that SVP, while we had a cordial conversation and an offer for the domain was made, the follow up email was titled: Domain registration issue. The issue, if you go back to the original post, really wasn’t about the domain at all–that only allowed the discovery of the issue. But could have been worse, I suppose.
Example 3: …and it was worse. Another email from the SVP signaled that he got approval for the offer, and asked me to send an invoice, but the NDA wasn’t ready. Replied, basically and nicely, that if the NDA was a part of the discussion, there is no way I could send the invoice without seeing and reading that NDA.
Example 4: Speaking of the NDA, I finally received it Oct 5th. But the terms…just not acceptable. First, the agreement wanted me to start actions on the domain, wait until the registration lock was over in November, and then wait up to another 20 days before receiving payment. Minor-ish issue, but no way I’d take actions without payment received. But the bigger issue: there was nothing in the agreement, aside from me deleting all mentions of the issue and the emails received, to actually deal with the issue. I ended my explanation of that with:
“Selling the domain name back without the concerns being addressed would, in some sense, have me complicit in the ignoring or covering up of those concerns (especially with removal of the post about the concerns). I can’t be a party to that.” The NDA was NOT like this one.

Example 5: Now we get to a series of doozies. My reply to the NDA then led to me receiving an email on Oct 10th from the Deputy Director of Xerox corporate security, CC:ing in some other folks, and stating that he would now be my single point of contact going forward. And then this: “While I believe I have an understanding of the facts, I would like to propose a meeting to review those facts and determine appropriate next steps.

I will send you some availability windows in a separate email shortly.”

Straightforward. But…not so much. That email came on a Thurs morning. Didn’t hear anything back, so emailed on the following Monday afternoon “Wanted to check back in–hadn’t received that follow up email with the availability windows.”

Did I get an email? No.

I got, on Tues afternoon, and without consult, discussion, or explanation, a calendar invite for a Zoom meeting the next morning at 8:30am. Oh, and he included in that Zoom meeting Xerox legal counsel…despite him explaining he’d be the single point of contact.

I didn’t respond. But at 8:05am that morning, he sent a cancellation.

Then that afternoon, also without consult, discussion, or explanation, sent another calendar invite for a Zoom meeting the next morning at 8am.

By Friday I was done, and decided to just walk away from the table, so to speak:

“My intent on reaching out to Xerox, from the time of the discovery until now, has been to notify the company about the issue, because I saw the potential severity of it both to Xerox and the companies affected. I presented the information in good faith.

To be completely frank, from the beginning the reaction to the issue and the communication (or non-communication) from the various Xerox contacts has been bewildering.

I still believe that the issue is a major one, and that it does not meet the Xerox Safeguarding and Using Customer Information section of the Xerox Code of Business Conduct.

But I also realize ultimately that is Xerox‘s call, and that I’ve spent far too much time and energy on this for it to be worth continuing.

With that being said, I leave you with the information about the issue and walk away from the table, not demanding or requesting anything.”

There was a response that essentially ignored the email, but then seemed to try to position himself by using the phrases “I had made several attempts” and “any of this week’s invitation”.

By that point, I was just done, and on Saturday replied:

“This appears to be another example of the communication with Xerox that I called bewildering. Even if it wasn’t with intent, it falls in line with much of the other communication from the company.

To review:

1. Your initial email stated you would be sending “some availability windows in a separate email shortly.” That didn’t happen.
2. You replied, mentioning “several attempts without success” and “any of this week’s invitation.”
3. In looking at the filtered calendar invites:
a. you sent one on Tues afternoon at 2:48pm titled ITServiceWorks Follow up for a Zoom meeting scheduled for Wed morning at 8:30am
b. you sent a cancellation for it Wed morning at 8:05am.
c. you sent another Wed afternoon at 12:15pm titled Xerox IT Issue – Follow up  for Thur morning at 8:00am

4. Two invites does not equate to “several attempts”, or the multiple implied in “any of this week’s invitations”, and it certainly doesn’t meet the expectation you set in your original email with “some availability windows in a separate email shortly.”

5. Regardless of those important details, sending calendar invites without discussion is itself bewildering, tantamount to an order or demand. As I am not an employee or agent of Xerox, that doesn’t sit well.
You may very well think these things are minor. But from my perspective, they continue a pattern of communication that has eroded trust. So I stand by what I wrote Friday morning:

I still believe that the issue is a major one, and that it does not meet the Xerox Safeguarding and Using Customer Information section of the Xerox Code of Business Conduct.

But I also realize ultimately that is Xerox‘s call, and that I’ve spent far too much time and energy on this for it to be worth continuing.

With that being said, I leave you with the information about the issue and walk away from the table, not demanding or requesting anything.”

Edit 10/21: Example 6…rather unexpected, but have been getting quite a few visits in short periods of time from Xerox offices around the country.  If only this amount of time and attention were paid to the issue at hand.

Edit 11/3: Details on Example 6 above. Xerox uses, as many businesses do, Microsoft 365 for email. One thing that 365 does is that when you send emails with links, in the background it visits that link to “check” it. Those visits show up like this:

So it’s really interesting to see those continue to pop up, followed by visits from different Xerox locales across the country…when the contacts spent far less time and energy on the issue when I brought it to their attention. What’s even more interesting is some feedback I got from a former Xerox employee that they aren’t the least bit surprised by the ways they’ve communicated…seems it’s an unofficial corporate standard.

1 thought on “Examples of the Xerox Communication Issues

  1. Pingback: Multifunction Printer/Scanner Security Issue Discovered

Comments are closed.