DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

AU: Railcorp blunder as personal details offered in rail sale (updated)

Posted on December 9, 2011 by Dissent

Finders, keepers? Can you just auction off lost USB drives left on trains without regard to whether they contain sensitive information? Maureen Shelley reports:

A bunch of USB memory sticks, which hold private photos and data, left by passengers on Sydney trains were sold by Railcorp at a lost property auction.

Computer security company Sophos, which bought the sticks, said they contained thousands of photographs, work projects, minutes of meetings and university assignments as well as a job application and resum aac (sic).

NSW Information and Privacy deputy commissioner John McAteer said that his office was investigating a possible breach of the Privacy Act by RailCorp and whether it had kept passengers’ private data safeguarded.

Read more on The Daily Telegraph.

Updated 12-14-11: RailCorp isn’t saying whether it erased any data before selling devices, leading to concerns about what they’ve done in previous auctions. Read more on The Sydney Morning Herald

Related posts:

  • AU: RailCorp violated NSW privacy law by not properly wiping lost USB drives before auctioning them – report
  • Australian, Railcorp sells customers personal information at auctions
Category: Breach IncidentsGovernment SectorNon-U.S.Other

Post navigation

← Telstra internal website made public, releasing account details of up to one million customers
UK: Morecambe Bay Hospitals Trust under fire: Crudely-titled email sparks watchdog probe →

3 thoughts on “AU: Railcorp blunder as personal details offered in rail sale (updated)”

  1. David says:
    December 9, 2011 at 7:53 am

    It is quite possible that once an item like a USB stick is lost, there is no statutory obligation on the finder to protect the privacy of the contents.

    At best, it’s difficult to see how such an obligation could ever be enforceable.

    1. admin says:
      December 9, 2011 at 8:22 am

      Anything’s possible, but what do their laws proscribe? There may be no statutory duty to protect it (and I’m not sure about that as I don’t know AU law), but can an entity sell personal data without the consent of the data subject under AU law? We need an AU privacy lawyer here.

  2. Major_Tom says:
    December 14, 2011 at 7:31 am

    I am sure if you look at this in the light of anything else, its purely wrong. Courts want to ensure that companies follow the prudent man rule, and with that said, this action is far from it.

    The “finders keepers” side of this is just that. If you have ownership or custody for something, and you are about to sell it, you are deemed responsible for what you are selling. This is no different than someone buying/selling hacked website info or PII. Ignorance may play a part, but 99.9% of the time it doesn’t fly in the courts.

    I’d be interested in seeing the actual description of the auction and how much the bid was initially started for, and the end price paid.

    It’s not all on the sellers here. I am sure the people who lost this data probably did not notify their company, let alone set out on a long hard search to recover it. It seems like its a process that this company has that’s broke. The people in charge of the so-called lost and found are probably lost themselves – anyone with any knowledge of computers or watches TV knows that USB sticks are a potential pandora’s box when they are lost.

    I guess if they like free negative publicity, then they got what they asked for.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.