Related Stories

Top 5 Stories


Railway's unclaimed USB key auction runs afoul of local Aussie privacy law

18 June 2012

The state-owned passenger rail service RailCorp did not comply with New South Wales' (NSW) privacy law when it “cleansed” data from unclaimed USB keys that it sold at an auction, the Office of the NSW Privacy Commissioner concluded in a report.

The report said that the “data cleansing process” used by RailCorp prior to auctioning off unclaimed USB keys was inadequate because it “did not prevent the recovery of cleansed data using off the shelf, inexpensive software”. As a result, RailCorp did not meet its legal obligations under the Australian state’s Privacy and Personal Information Protection (PPIP) Act.

The investigation was prompted by the purchase of 57 USB keys containing 4,400 files by a team lead by Paul Ducklin, head of technology, Asia Pacific, at Sophos. The analysis of the USB keys revealed unencrypted personal information about former owners of the devices, their family, friends, and colleagues.

In response to the privacy commissioner’s investigation, RailCorp announced that it would not longer sell unclaimed USB keys and began a review of its approach to auctioning off other electronic devices that could contain personal information of the users.

RailCorp responded “constructively and quickly once contacted by this office”, said Deputy Privacy Commissioner John McAteer.

“No evidence was uncovered which established the actual disclosure of personal information, tied with a complaint by an individual who had standing to assert that their privacy rights under the PPIP Act had been breached. In this regard the Privacy Commissioner makes no findings in respect of a breach of section 12 of the PPIP Act”, the report concluded.

This article is featured in:
Compliance and Policy  •  Data Loss  •  Malware and Hardware Security  •  Public Sector


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×