Security firm Sophos attended RailCorp’s (owner of Cityrail and Countrylink trains) lost property auction in Sydney and snapped up 50 USB keys to see what kind of data was falling out of pockets.
The study found that not a single drive was using encryption and that 66% of them were infected with malware (malicious security programs such as viruses or spying software).
In total, Sophos was able to access 4,443 files on the USB sticks, including 2,882 images, 629 source code files, 197 web files, 145 documents, 128 programs, and 23 videos.
Some of these included sensitive documents such as lists of tax deductions, minutes from an activist group’s meeting, AutoCAD drawings, as well as one person’s portfolio and work application.
“This study serves as a timely reminder that any information about you is worth money to cybercriminals, no matter who you are,” wrote Paul Ducklin, head of technology for the Asia Pacific at Sophos, in a statement.
“Don’t forget the crooks don’t need to be directly involved in identity theft themselves – there’s an underground market for selling on personally identifiable information of all sorts,” added Ducklin.