The New South Wales Office of the Privacy Commissioner has accused the government rail network RailCorp of compromising the data of its customers and employees. RailCorp was selling off unclaimed flash drives. According to officials, the process for deleting data did not meet legislative requirements, since the information on the devices could be restored with the use of inexpensive software. The actions of the rail company were assessed to be a violation of the law on safeguarding the right to a private life and personal information.
RailCorp sold 57 flash drives, containing 4,500 files. The Office of the Privacy Commissioner reported that the devices were not 'encrypted', and that the files contained data on the owners of the devices, as well as their families, friends and colleagues.
It is not yet known whether fraudsters took advantage of the rail company's blunder or not. However, RailCorp has reviewed its security policy, and promised to do all it can to avoid similar incidents in the future.
InfoWatch's chief analyst Nikolai Fedotov comments: «It is remarkable that some operators are only now beginning to worry about erasing information from used media.
Now, the last manufacturer of flash memory has transitioned to new technology, which does not provide a direct record of the memory block, in other words it does not allow files on the drive to be restored or erased. In a year's time, the problem will disappear on its own. Or we will move to a whole new level of difficulty».
