After an investigation performed by the New South Wales Office of the Privacy Commissioner, RailCorp decided to stop selling the USB sticks lost by individuals on trains.
Last year, Sophos experts published the results of a study performed on a number of 57 USB memory sticks purchased at a RailCorp auction. Their analysis showed that the units contained 4,400 files, some of which held personal and work-related information.
After the report was made available, the Privacy Commissioner began an investigation which revealed that even though the devices were erased before being auctioned, the information they stored could still be recovered and possibly misused.
While some experts argued that RailCorp shouldn’t be held responsible because it didn’t collect the data for its own use, the privacy watchdog considered that it was the company’s duty to ensure that the information wouldn’t end up in the wrong hands.
“It seems clear from the matters raised in the public domain by purchasers of USB keys at 2011 RailCorp public auctions, that 3rd party personal information was allegedly accessible to the purchasers,” reads the report recently published by the Privacy Commissioner.
“It seems clear also that had the original data on the USB keys contained personal information, then the processes in place to cleanse the data and meet RailCorp’s obligations under section 12 (c) of the PPIP Act were insufficient for that purpose.”
Even before the investigation ended, RailCorp decided that it would stop selling the unclaimed drives and that it would destroy them instead, a decision welcomed by the Privacy Comissioner.
Either way, experts strongly recommend that users should encrypt all the sensitive information they store on their portable storage drives since in case they get lost or stolen, the risk for misuse increases. After all, not all the USB keys lost on public transport vehicles are retrieved by the company in question.