RailCorp abandons lost USB auctions

New South Wales’ RailCorp has scrapped the practice of auctioning off used USB drives after learning of the costs and effort involved in properly deleting stored data.

RailCorp has sold used USB drives at lost property auctions since July 2009, attempting to delete any existing data before the sale using the Windows ‘long format’ function.

But formatting “did not prevent the recovery of cleansed data”, NSW Privacy Commissioner Elizabeth Coombs discovered during an investigation into the process (pdf).

She found that RailCorp “did not utilise specialised data deletion software”, so data could be recovered by off-the-shelf data recovery software that was readily available and relatively inexpensive.

Coombs commenced the investigation in December, after Sophos chief technology officer Paul Ducklin demonstrated his ability to recover resumes, tax returns, photos and documents from a pool of 70 USB devices he bought at a RailCorp auction.

As such, the Privacy Commissioner reported that RailCorp had not met its obligations to protect information against loss, unauthorised access, modification, disclosure and misuse.

RailCorp advised the Privacy Commissioner that the cost and labour involved in eliminating the risk of data recovery "would render auctioning the USBs economically unviable”.

The agency said it had decided to “cease the practice of auctioning unclaimed USBs and adopt a practice of safe disposal by way of secure destruction” of the drives.

Although the Privacy Commissioner uncovered no instances of individuals complaining about privacy breaches because of RailCorp’s USB auctions, she commended the government agency's decision to cease auctioning USBs.

“Technology advances have meant that there are now many mobile devices that store data concerning individuals,” she said.

“We will continue to assist RailCorp in the development of its policy towards the auction or appropriate disposal of such devices.”