RailCorp abandons lost USB auctions

Powered by SC Magazine
 

Eliminating data 'economically unviable'.

New South Wales’ RailCorp has scrapped the practice of auctioning off used USB drives after learning of the costs and effort involved in properly deleting stored data.

RailCorp has sold used USB drives at lost property auctions since July 2009, attempting to delete any existing data before the sale using the Windows ‘long format’ function.

But formatting “did not prevent the recovery of cleansed data”, NSW Privacy Commissioner Elizabeth Coombs discovered during an investigation into the process (pdf).

She found that RailCorp “did not utilise specialised data deletion software”, so data could be recovered by off-the-shelf data recovery software that was readily available and relatively inexpensive.

Coombs commenced the investigation in December, after Sophos chief technology officer Paul Ducklin demonstrated his ability to recover resumes, tax returns, photos and documents from a pool of 70 USB devices he bought at a RailCorp auction.

As such, the Privacy Commissioner reported that RailCorp had not met its obligations to protect information against loss, unauthorised access, modification, disclosure and misuse.

RailCorp advised the Privacy Commissioner that the cost and labour involved in eliminating the risk of data recovery "would render auctioning the USBs economically unviable”.

The agency said it had decided to “cease the practice of auctioning unclaimed USBs and adopt a practice of safe disposal by way of secure destruction” of the drives.

Although the Privacy Commissioner uncovered no instances of individuals complaining about privacy breaches because of RailCorp’s USB auctions, she commended the government agency's decision to cease auctioning USBs.

“Technology advances have meant that there are now many mobile devices that store data concerning individuals,” she said.

“We will continue to assist RailCorp in the development of its policy towards the auction or appropriate disposal of such devices.”

Copyright © iTnews.com.au . All rights reserved.


RailCorp abandons lost USB auctions
 
 
 
Top Stories
Photos: iTnews Benchmark Awards countdown begins
Just a few days left until entries close for 2014.
 
Australian Govt to rethink cyber security strategy
Six-year old policy to be refreshed.
 
The failure of the antivirus industry
[Blog post] Insights from AVAR 2014.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 1040

Vote