AU: RailCorp violated NSW privacy law by not properly wiping lost USB drives before auctioning them – report
Remember the news coverage of how RailCorp was auctioning off USB drives left on trains without properly wiping them first? There’s a follow-up to the story on Infosecurity-Magazine this week:
The state-owned passenger rail service RailCorp did not comply with New South Wales’ (NSW) privacy law when it “cleansed” data from unclaimed USB keys that it sold at an auction, the Office of the NSW Privacy Commissioner concluded in a report.
The report said that the “data cleansing process” used by RailCorp prior to auctioning off unclaimed USB keys was inadequate because it “did not prevent the recovery of cleansed data using off the shelf, inexpensive software”. As a result, RailCorp did not meet its legal obligations under the Australian state’s Privacy and Personal Information Protection (PPIP) Act.
Read more on Infosecurity-Magazine.com. What’s somewhat impressive is that the Privacy Commissioner’s office sent someone out to RailCorp to actually observe the data wiping/deletion process and to a security firm to observe the data recovery process.
via IAPP ANZ