RailCorp abandons lost USB auctions

Powered by SC Magazine
 

Eliminating data 'economically unviable'.

New South Wales’ RailCorp has scrapped the practice of auctioning off used USB drives after learning of the costs and effort involved in properly deleting stored data.

RailCorp has sold used USB drives at lost property auctions since July 2009, attempting to delete any existing data before the sale using the Windows ‘long format’ function.

But formatting “did not prevent the recovery of cleansed data”, NSW Privacy Commissioner Elizabeth Coombs discovered during an investigation into the process (pdf).

She found that RailCorp “did not utilise specialised data deletion software”, so data could be recovered by off-the-shelf data recovery software that was readily available and relatively inexpensive.

Coombs commenced the investigation in December, after Sophos chief technology officer Paul Ducklin demonstrated his ability to recover resumes, tax returns, photos and documents from a pool of 70 USB devices he bought at a RailCorp auction.

As such, the Privacy Commissioner reported that RailCorp had not met its obligations to protect information against loss, unauthorised access, modification, disclosure and misuse.

RailCorp advised the Privacy Commissioner that the cost and labour involved in eliminating the risk of data recovery "would render auctioning the USBs economically unviable”.

The agency said it had decided to “cease the practice of auctioning unclaimed USBs and adopt a practice of safe disposal by way of secure destruction” of the drives.

Although the Privacy Commissioner uncovered no instances of individuals complaining about privacy breaches because of RailCorp’s USB auctions, she commended the government agency's decision to cease auctioning USBs.

“Technology advances have meant that there are now many mobile devices that store data concerning individuals,” she said.

“We will continue to assist RailCorp in the development of its policy towards the auction or appropriate disposal of such devices.”

Copyright © iTnews.com.au . All rights reserved.


RailCorp abandons lost USB auctions
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1773

Vote
Do you support the abolition of the Office of the Information Commissioner?