Privacy Commissioner condemns RailCorp over USB drive auction

NSW Privacy Commissioner report finds RailCorp did not take adequate measures to protect USB keys from unauthorised access

RailCorp’s auction of USB keys in 2011 did not meet obligations under the Privacy and Personal Information Protection (PPIP) Act 1998 because the thumb drives, which were lost property, contained personal information not protected against unauthorised access, according to a report released by the New South Wales Office of the Privacy Commissioner.

New South Wales deputy privacy commissioner, John McAteer, launched an investigation in December last year after security vendor, Sophos, revealed that the 50 USB keys it purchased at a RailCorp auction contained recoverable personal information while 33 of the keys contained malware.

The report (PDF), entitled Own motion enquiry/investigation RailCorp, found that while RailCorp undertook a data cleansing process of USB keys prior to auction, the process did not prevent the recovery of cleansed data using off-the-shelf, inexpensive software.

In addition, RailCorp did not meet privacy obligations in section 12 (c) of the PPIP Act.

These privacy obligations include:

  • That the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used.
  • Information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information.

  • That the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse.
  • If it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.

According to the report, the NSW Privacy Commissioner found that RailCorp’s USB cleansing process was unlikely to enable data to be recovered by re-inserting a USB into a computer running the Windows or Macintosh operating systems and trying to open files. “However, specialised data recovery software has the capacity to extract data from USBs that have undergone the data deletion process, which was used by RailCorp and which is commonly available on Windows based computers,” read the report documents.

“Such specialised data recovery software is readily available and relatively inexpensive.”

The report went on to say that the data recovery process the NSW Privacy Commissioner’s inquiry observed at RailCorp's premises appeared “somewhat time consuming”, but not cumbersome to a degree that might discourage a person from recovering data on the USB sticks.

In conclusion, the report found that third party personal information was allegedly accessible to purchasers of the USB sticks.

“It seems clear that had the original data on the USB keys contained personal information, then the processes in place to cleanse the data and meet RailCorp’s obligations under section 12 (c) of the PPIP Act were insufficient for that purpose,” read the report documents.

“Taking into account the limitations of the existing ‘cleansing’ process, the potential risks to the agency in this aspect of their operations when managing their privacy obligations under the PPIP Act, coupled with the economic necessity for RailCorp to run its lost property operation on a cost recovery basis, it seems prohibitive to the Privacy Commissioner for RailCorp to continue to offer such portable data storage devices (USB keys) for sale.”

The NSW Privacy Commissioner commended RailCorp’s decision to stop the auction of USB keys as the most reasonable outcome of the investigation.

Sophos Asia Pacific director, Rob Forsyth, whose company bought the USB keys at auction in 2011, said the report and subsequent changes to RailCorp policy were a step towards helping consumers better protect their personal information. “It’s encouraging to see that our analysis of these devices has paved the way for positive changes to further protect the privacy of the consumer,” he said in a statement.

“While it’s important that organisations are held accountable for their actions when disposing of sensitive data, consumers also need to realise the importance of encrypting data that may fall into the wrong hands and protecting themselves from common security threats such as malware,” Forsyth said.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the Computerworld newsletter!

Error: Please check your email address.

More about Sophos

CIO
ARN
Techworld
CMO