Railcorp’s find-and-sell policy for USB devices could have exposed people’s personal data
Handling growing reams of information has been one of the challenges facing the business world in the past few years as servers have stored ever-increasing volumes of records and data has become far more mobile than ever before.
With documents now stockpiled everywhere from computer hard drives to smartphone devices and remote cloud servers, security has also been an issue as companies are required to protect their confidential documents, both by law and as a means to safeguard business continuity.
But while backing up files is a good way to prevent any problems arising and data protection methods can help companies defend against thieves looking to steal sensitive information, Australian company RailCorp has moved to stop selling lost-and-found USB keys as it has emerged personal details could still be obtained from the devices.
According to reports, a 2011 Sophos study found that while the organisation had been taking steps to ‘clean’ the drives before selling them on, the data stored on them had not been encrypted and so could easily be recovered.
"The most shocking thing was that not one file on any of the keys we bought was encrypted – even those files which contained personally identifiable information or proprietary information from work," wrote Sophos’ Paul Ducklin.
Also included in the results of the investigation – which saw Sophos purchase a number of USB keys at auction and scrutinise their content – was that malware was found on two-thirds of the devices, revealing that Railcorp’s techniques for wiping data off the drives was failing to protect past owners.
Following the findings, the company has explained that it will now destroy all USB devices that it finds rather than selling them on, and the hope will be that the business’s past sales have not resulted in people’s sensitive information falling into the wrong hands.