Chalk this one up for common sense: following an investigation which showed that USB memory keys sold at a lost property auction by NSW Railcorp were unencrypted and filled with malware, the rail authority has decided to stop selling second-hand USB gear.
The decision was revealed in an announcement by the NSW Privacy Commissioner, which investigated the issue after it was disclosed by security software vendor Sophos. Sophos had found that none of the keys were encrypted and two-thirds of them contained malware.
The review found that while Railcorp did erase data from the USB sticks, it did so only with the most basic approach, meaning anyone with a half-decent unerase utility could potentially recover private data. While the review was going on, Railcorp also apparently realised that the effort of wiping data was not really worth it in a world where USB key prices continue to drop at rapid speeds:
During the Privacy Commissioner’s attendance at RailCorp premises as part of the investigation process, RailCorp staff advised that RailCorp had reviewed the risk that its deletion process presents to the personal information on the USBs and had concluded that the additional cost and labour time required to eliminate it would render auctioning the USBs economically unviable. For this reason RailCorp advised that it had decided to cease the practice of auctioning unclaimed USBs and adopt a practice of safe disposal by way of secure destruction of the USBs.
Sounds wise to us.