The lost property auction of more than 50 USB keys by RailCorp in Sydney has prompted an investigation by the NSW Privacy Commissioner into possible breaches of privacy laws around use and distribution of personal information.
The keys, which were acquired at the auction by security vendor Sophos, were all unencrypted with 33 of the keys containing malware. Tax deductions, photo albums and Web source codes were just some of the kinds of personal information Sophos found.
Deputy NSW Privacy Commissioner, John McAteer, told Computerworld Australia that a series of questions were sent to RailCorp on Friday, 9 December to ascertain what steps the organisation took before selling the USB keys.
McAteer's main concern was that the organisation may have breached sections of NSW privacy laws by selling keys with personal information.
"The allegation is that some of that data is what you would call personal information," he said. "For example, a contract to build a tollway is not personal information even though it might be in commercial confidence whereas a CV would be considered personal."
He added that RailCorp sold a number of laptops at the same auction but wiped the data contained on the computers.
"Our starting point would be that maybe RailCorp need to review the selling of these keys and dispose of them in some other way," he said.
"When you clean out an office and find things sometimes you throw them away because it's safer."
While McAteer's investigation has the power of a royal commission and he can make findings and recommendations, the Privacy Commissioner cannot issue fines. However, individuals who believe their privacy has been breached could obtain damages from the Administrative Decisions Tribunal.
McAteer expected to move to the second stage of the investigation before 25 December.
Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU