Sophos, the computer security company that bought the USB keys from RailCorp's lost property auction for just over $400, obtained them to conduct an experiment into data left on lost USB keys.
Paul Ducklin, head of technology at Sophos, analysed the data contained on the devices and found two-thirds were infected with malware.
"Don't be lulled into thinking that your personal data is unimportant unless you're a high-flying executive or have pots of money. Information about you is worth money to cyber criminals," wrote Mr Ducklin, adding there was an underground market for buying and selling personal information.
RailCorp, which has not said whether it accessed the data on the USB keys before selling them, was immediately criticised over the auction. It also sparked the interest of the NSW Deputy Privacy Commissioner, John McAteer.
"We commenced our investigation on Friday and in the first instance RailCorp is going to answer a series of questions and based on the answers to those questions we'll look at what our next step in the investigation is – and if necessary we may speak to third parties to verify some of the answers," said Mr McAteer.
It is understood that the privacy watchdog may speak to Sophos but the company is not under investigation as the NSW Privacy Commissioner only regulates public agencies.
Mr McAteer said he would not jump to any conclusions but he was concerned RailCorp might have breached several sections of the NSW privacy laws concerning using and distributing personal information.
"If they weren't going to return [the USB keys] to the owners or destroy them they had an obligation to work out what was on there and if it was personal information they either had the obligation to cleanse it or to contact the person to whom it related," he said.
Mr McAteer said contacting each individual owner of the USB keys was impractical and the obvious response would have been to destroy the USB keys.
Mr McAteer said his investigation had "royal commission powers" and if a privacy breach was found he could make findings and recommendations but not fine agencies. However, he said individuals whose privacy had been breached could obtain damages from the Administrative Decisions Tribunal.
However, Mr Ducklin, in an email interview with this website, said he did not think RailCorp should be obliged to wipe the data on lost devices they sell "in much the same way that I don't think that ISPs should be obliged to watch your internet traffic and block pirated stuff".
"Apparently NSW Privacy thinks RailCorp should be wiping the keys, but I think NSW Privacy should be frying bigger fish – notably companies which deliberately collect my data for their own commercial purposes, promise to look after it, and then don't," said Mr Ducklin.
Mr Ducklin said if RailCorp was obliged to wipe the USB keys that would cost "way more" than they could be sold for. Already, Sophos paid about 50 per cent more than if they were bought new.
"Then they'll have to start destroying lost USB sticks instead. That would be an environmental shame – we're enough of a disposalist [sic] society already," he said.
Mr Ducklin ridiculed the idea that RailCorp could be expected to protect its customers from making IT blunders.
"What next? Will RailCorp be expected to police the trains looking for people using unsecured 3G wireless hotspots on their daily commute? For iPhone users who haven't set a device passcode?"
Mr McAteer's response was succinct, pointing out that he could only regulate privacy for the public service.
"The 'bigger fish' are beyond the jurisdiction of my office. The law says they can't use the info so they should destroy them. That's the law," he said.
RailCorp said it took the NSW Privacy Commissioner's concerns seriously and it would assist the office with its investigation.
"To ensure we continue to improve our processes RailCorp will be reviewing our guidelines regarding lost property prior to the next auction," a spokesman said.
This reporter is on Twitter: @ashermoses
Subscribe in a reader