Following a 2011 Sophos study that found user data and malware infections on lost USB drives being sold by Australia's RailCorp, the organization has decided to destroy all lost USB keys it finds in the future, rather than reselling them.

"Sophos found personal tax records, a resume and job application, and hundreds of other personal and work documents (including personal photos and other data)," writes Ars Technica's Sean Gallagher. "None of the USB drives found were encrypted, and two-thirds of the drives were infected with some form of malware. While assisting the Privacy Commissioner’s investigation, Sophos demonstrated that data recovery from USB drives could be completely automated, apart from plugging in and removing the drives."

"RailCorp has sold used USB drives at lost property auctions since July 2009, attempting to delete any existing data before the sale using the Windows 'long format' function," iTnews reports. "But formatting 'did not prevent the recovery of cleansed data,' NSW Privacy Commissioner Elizabeth Coombs discovered during an investigation into the process [PDF file.]"

"In response to the privacy commissioner’s investigation, RailCorp announced that it would not longer sell unclaimed USB keys and began a review of its approach to auctioning off other electronic devices that could contain personal information of the users," Infosecurity reports. "RailCorp responded 'constructively and quickly once contacted by this office,' said Deputy Privacy Commissioner John McAteer."

Still, as Sophos' Paul Ducklin notes, "The most shocking thing in our original research was not the high prevalence of malware, nor the fact that the keys got sold in the first place, nor that USB keys are so easy to lose. The most shocking thing was that not one file on any of the keys we bought was encrypted -- even those files which contained personally identifiable information or proprietary information from work. Encrypt everything and you never have to worry about the stuff you didn't encrypt!"