The New South Wales privacy commissioner is investigating Railcorp after it sold 50 USB keys containing personal data to computer security company Sophos at its lost property auction. While a Railcorp spokeswoman said the organisation has a process "where we look to erase any stored information" before auctioning devices, the keys had not been wiped of data. Deputy Privacy Commissioner John McAteer said, if the company wasn't going to destroy the devices, it "had an obligation to work out what was on there, and if it was personal information, they either had the obligation to cleanse it or to contact the person to whom it related." However, The Sydney Morning Herald reports that Paul Ducklin of Sophos says Railcorp should not be responsible for "protecting its customers from making IT blunders."
If you want to comment on this post, you need to login.