RailCorp will review its annual lost property auction after the state-owned corporation came under fire for selling USB sticks loaded with sensitive data to the public.
In a statement to CRN sister site SC Magazine, Railcorp said it would review "guidelines regarding lost property prior to the next auction".
"With digital devices RailCorp undertakes a process in good faith where we look to erase any stored information before it is included in our lost property auction," a spokesperson said.
"If staff do find something that has contact information they make every effort to return it."
It did not say how sensitive documents on hundreds of USBs sold at the auctions could be identified or removed, nor if it had previously considered the implications of selling lost personal storage devices.
The documents including tax returns and resumes were uncovered after Sophos chief technology officer Paul Ducklin ran a simple script to examine files left on 57 USB sticks he bought at the previous September RailCorp auction.
RailCorp advised customers to encrypt storage devices and attach a name and contact number to items carried on trains to assist in the return of lost items.
"We also remind customers of the importance of looking after their digital device and to consider best practice surrounding security and encryption."
RailCorp holds lost property for a minimum of 28 working days for owners to claim.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
