RailCorp has had to stop auctioning USB sticks that have been left on its trains because it is economically impractical to do so in a manner that doesn't put personal data at risk.
The NSW Privacy Commissioner has started a review of RailCorp after Sophos found that the USB flash drives the organisation had auctioned from its lost property stores had recoverable personal information on them.
RailCorp keeps USB sticks safe for a certain period of time, screening it for information that might help the organisation return the equipment to the owner. However, if the owner was not identified, the data was erased and then offered at auction.
The commissioner said that, to do this, the staff would insert the USB flash drive into a Windows computer and conduct a long format data deletion process.
However, security company Sophos was able to recover data from USB sticks, using what the privacy commissioner called "off the shelf, inexpensive" software, which meant that RailCorp had not met the requirements of section (c) of the Privacy and Personal Information Protection Act 1998, by disclosing personal information, without the consent of the person concerned.
Even though the data was unlikely to be recovered by a normal user, it also isn't hard to buy the data recovery software necessary to recover such data, the commissioner said.
"The data recovery process that the Privacy Commissioner's inquiry process observed at the company's premises appears somewhat time consuming, but not cumbersome to a degree that might discourage a person intent on data recovery," it said.
As a result of the investigation process, RailCorp staff said that RailCorp had reviewed the risk of selling the USB sticks, saying that the effort required to make the data unrecoverable would make it impractical to sell the gear at auction. Therefore, it has stopped the process of auctioning USB sticks.
Despite the fact that the Act had been breached, the Privacy Commissioner had not received any complaints and so didn't act on its findings about the breach, considering RailCorp's actions sufficient.