There has been less media attention this month to an exercise in security street theatre by IT security company Sophos, busy spruiking its malware solutions. Paul Ducklin, described as chief technology officer at Sophos (presumably the Australian arm of Sophos), purchased some 70 USB drives from RailCorp - the NSW transport state owned enterprise - in September this year. The drives were being auctioned by RailCorp - along with laptops, bags, umbrellas, thongs, jumpers, beanies, books and other items - as part of its disposal of unclaimed lost property, ie things left behind at railway stations and in RailCorp's trains. (Comments on the Australian Defence Dept's loss of a thumb drive are here.)
How better to get some publicity - and increase consumer awareness - than by buying a swag of pre-loved thumb drives that - quelle horreur - were duly found by Sophos to contain unencrypted personal information. (Sophos is reported as being "shocked when the auction price was nearly twice the average retail value of the USBs", which suggests the security company was after the story rather than stretching the corporate dollar by stocking up on drives at throwaway prices.)
Some 57 of the drives were functioning and reported as containing "troves of personal data including resumes, tax returns, photos and documents". Ducklin is reported as commenting that "We revealed a good deal of personal information about many of the people who lost the USBs, about their families, friends and colleagues".
RailCorp apparently disposed of laptops at the same time after wiping the hard drive on those devices. Such diligence is welcome, given the incident in 2005 where the NSW State Transit Authority auctioned 12 servers but - oops - failed to delete payroll and financial information, Sydney public transport passenger counts, ticketing system codes, incident reports and employee access PINs.
In responding to the current incident the NSW deputy Privacy Commissioner has reportedly "chastised" RailCorp. (There's no statement on the Commissioner's site or on that of RailCorp.)
The Commissioner reportedly stated that RailCorp should have wiped the USBs prior to selling in order to follow best practice.
By selling the information on the USBs they are deemed to be using it and they should delete the information.I suggest that if the cost of wiping the USB drives is deemed to be too high, RailCorp should simply dispose of the drives on a secure basis rather than unleashing the tax returns, photos, university assignments, and other information into the world.
They should not disclose the data without the consent of the person the data relates to.