New South Wales’ deputy Privacy Commissioner has chastised RailCorp for selling USB flash drives sold at auction without deleting sensitive user information.
Some of the USB drives picked up at the auction of lost passenger equipment in September contained troves of personal data including resumes, tax returns, photos and documents.
Paul Ducklin, chief technology officer at Sophos bought about 70 USBs at the September auction and uncovered personal data still stored on the devices.
“I’m sure if I was a thief that I could do really well,” Ducklin said.
“We revealed a good deal of personal information about many of the people who lost the USBs, about their families, friends and colleagues.”
But the keys were sold en masse without any attempt to wipe storage data.
It is believed RailCorp wiped clean lost laptops also sold at auction.
NSW deputy Privacy Commissioner John McAteer told SCMagazine Australia that the government organisation should have cleaned the USBs prior to selling in order to follow best practice.
The state-owned corporation is not bound by the same strict privacy guidelines to which other institutions must adhere but that was no excuse, McAteer said.
“By selling the information on the USBs they are deemed to be using it and they should delete the information.”
“They should not disclose the data without the consent of the person the data relates to.”
RailCorp did not immediately respond when asked if it considered whether selling the devices without wiping stored data could be a breach of privacy.
Information galore
Sophos’ Ducklin ran a simple script on the flash drives to reveal the personal data.
None of the devices were encrypted.The “cursory analysis” did not examine deleted information still present on the recycle bin folders on the keys nor attempted to recover data that users had tried to erase.
Some 66 percent of the 57 functional devices bought by Ducklin were infected with malware.Most targeted the flash drives’ autorun files, particularly on Windows machines. H
Find more info…
