Disk Encryption: Australia’s Railcorp Auctions Off USB Flash Disks With Personal Data, Being Investigated.
The Daily Telegraph (dailytelegraph.au) has a headline that reads “Railcorp blunder as personal details offered in rail sale.” It piqued my interest; what kind of company would do that in this day and age? Then, I realized, hey, using data encryption on the things and losing the keys before selling them is not exactly easy work.
The story actually ties to a Sophos blog post that I had been planning on commenting on. Two days ago, the NakedSecurity blog announced that lost USB flash drives have a 66% chance of being infected with malware. The study was based on 50 USB keys that were bought at auction from Australia’s Rail Corporation New South Wales, commonly known as Railcorp. The short study showed that:
Buying keys at auction is expensive, at twice the retail price
33 out of the 50 USB keys were infected with malware
There was a significant amount of personal data (but no WikiLeaks-worthy data)
None of the keys were protected with encryption software despite #3 above.
Of course, the question is, what’s Railcorp doing, selling USB keys with people’s personal data (more specifically, customers’ lost USB keys with personal data)?
Doing Something Stupid
Obviously, Railcorp was doing something stupid. When I had cursorily skimmed Sophos’s post a couple of days ago, I had seen the words “all the keys had been formatted” and took that to mean that Railcorp had exercised a modicum of data safety before selling the keys. After all, isn’t that what one should do?
As it turns out, Sophos had been commenting on the data volume type of the USB disks. In terms of the personal data:
So, we didn’t dig anywhere near as deep as an unethical hacker or a serious investigator would have. In particular, we didn’t analyse every byte of every file, or search systematically for keywords across slack space, or try to reconstruct deleted files. [my emphasis]
Whoa. Railcorp: what were you thinking?
Completely Wiping Data on Flash Close to Impossible on Flash Drives
Before looking into the details, I was going to cut Railcorp some slack. I honestly thought that Sophos had recovered files to do their analysis. If that had been the case, I would have made the following remarks:
Formatting data doesn’t wipe it. Most people are not aware of it, but formatting a disk doesn’t delete data. It looks like you’ve deleted it, but only because formatting razes the original instructions on where to find files (think of it as a computer’s inventory log on which files are where). Without these instructions / inventory log, the computer just assumes there are no files. Likewise with “deleting” data: it just eliminates that particular file’s name from the inventory log, but the file is still there in the computer.
But, any data recovery software would easily find files in either case. The only way to make data unrecoverable is to write new data on top of it.
Overwriting flash drives doesn’t work. But that’s only true for hard disk drives. For flash-memory based media, it turns out that data overwrites doesn’t work. The only way you can make the data unrecoverable is to use data encryption and then lose the encryption key.
If most people are not aware of point 1 above, even less (far less) are aware of point 2. So, I would have given a pass to Railcorp if they had just formatted the USB disks or deleted the data prior to selling them, thinking it was secure (we can’t expect some guy who’s overseeing the sale of umbrellas and such to be a data security guy at the same time).
On the other hand, it’s quite apparent that absolutely no thought was given about personal data security issues in this case. And that cannot be forgiven.