Community takes fight for rail to the Supreme Court
Rail corridor between Glenfield and Macarthur earmarked for medium density
Rail Trail boost to tourism - and local economy
Newcastle rail case may be long wait
Save Our Rail questions semantics argument over rail line cut
North West Rail Link corridor to extend through to Marsden Park
Camurra West to Weemelah Line Booked Out of Use
Rail Trail full steam ahead
John Holland Commissions Electronic Train Orders
Closure of Newcastle rail stations not technically a closure of whole line, State Government lawyer says
RailCorp's sale of 50 misplaced USB keys containing sensitive personal information about passengers has sparked an investigation by the NSW Privacy Commissioner.
The investigation has led to a tiff between the privacy watchdog and Sophos, the computer security company that bought the USB keys from RailCorp's lost property auction for just over $400.
Paul Ducklin, head of technology at Sophos, analysed the data contained on the USB keys and found two thirds were infected with malware.
Two of the quirkier USB keys picked up by Sophos at the auction.
None of the USB keys was encrypted and while Ducklin said he only did a "cursory" analysis of the personal information contained on them, he found there were CVs, jobs applications, tax return information, photo albums, work projects, university assignments, minutes of meetings, software and source code.
"Don't be lulled into thinking that your personal data is unimportant unless you're a high-flying executive or have pots of money. Information about you is worth money to cyber criminals," wrote Ducklin, adding there was an underground market for buying and selling personal information.
RailCorp was immediately criticised for selling the USB keys. It also sparked the interest of the NSW Deputy Privacy Commissioner, John McAteer.
The USB keys bought by Sophos at the auction.
Mr McAteer's office regulates privacy in the public service and said that since RailCorp was a public sector agency it had more stringent privacy obligations.
"We commenced our investigation on Friday and in the first instance RailCorp is going to answer a series of questions and based on the answers to those questions we'll look at what our next step in the investigation is – and if necessary we may speak to third parties to verify some of the answers," said Mr McAteer.
It is understood that the privacy watchdog may speak to Sophos but the company is not under investigation as the NSW Privacy Commissioner only regulates public agencies.
Mr McAteer said he would not jump to any conclusions however he was concerned RailCorp may have breached several sections of the NSW privacy laws concerning using and distributing personal information.
"If they weren't going to return [the USB keys] to the owners or destroy them they had an obligation to work out what was on there and if it was personal information they either had the obligation to cleanse it or to contact the person to whom it related," he said.
Mr McAteer said contacting each individual owner of the USB keys was impractical and the obvious response would've been to destroy the USB keys.
Mr McAteer said his investigation has "royal commission powers" and if a privacy breach is found he can make findings and recommendations but not fine agencies. However, he said individuals whose privacy had been breached could obtain damages from the Administrative Decisions Tribunal.
However, Ducklin, in an email interview with this website, said he did not think RailCorp should be obliged to wipe the data on lost devices they sell "in much the same way that I don't think that ISPs should be obliged to watch your internet traffic and block pirated stuff".
"Apparently NSW Privacy thinks RailCorp should be wiping the keys, but I think NSW Privacy should be frying bigger fish – notably companies which deliberately collect my data for their own commercial purposes, promise to look after it, and then don't," said Ducklin.
Ducklin said if RailCorp was obliged to wipe the USB keys that would cost "way more" than they could be sold for. Already, Sophos paid about 50 per cent more than if they were bought new.
"Then they'll have to start destroying lost USB sticks instead. That would be an environmental shame – we're enough of a disposalist [sic] society already," he said.
Ducklin ridiculed the idea that RailCorp could be expected to protect their customers from making IT blunders.
"What next? Will RailCorp be expected to police the trains looking for people using unsecured 3G wireless hotspots on their daily commute?
For iPhone users who haven't set a device passcode?"
Mr McAteer's response was succinct, pointing out that he can only regulate privacy for the public service.
"The 'bigger fish' are beyond the jurisdiction of my office. The law says they can't use the info so they should destroy them. That's the law," he said.
RailCorp said it took the NSW Privacy Commissioner's concerns seriously and it would assist the office with its investigation.
"To ensure we continue to improve our processes RailCorp will be reviewing our guidelines regarding lost property prior to the next auction," a spokesman said.
Read more: http://www.smh.com.au/technology/security/railcorp-sale-of-sydney-train-passengers-usb-keys-sparks-probe-20111213-1orzq.html
About this website
Railpage version 3.10.0.0037
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest is © 2003-2020 Interactive Omnimedia Pty Ltd.
You can syndicate our news using one of the RSS feeds.