RailCorp's sale of 50 misplaced USB keys containing sensitive personal information about passengers has sparked an investigation by the NSW Privacy Commissioner.The investigation has led to a tiff between the privacy watchdog and Sophos, the computer security company that bought the USB keys from RailCorp's lost property auction for just over $400.Paul Ducklin, head of technology at Sophos, analysed the data contained on the USB keys and found two thirds were infected with malware.None of the USB keys was encrypted and while Ducklin said he only did a "cursory" analysis of the personal information contained on them, he found there were CVs, jobs applications, tax return information, photo albums, work projects, university assignments, minutes of meetings, software and source code."Don't be lulled into thinking that your personal data is unimportant unless you're a high-flying executive or have pots of money. Information about you is worth money to cyber criminals," wrote Ducklin, adding there was an underground market for buying and selling personal information.RailCorp, which has not said whether it accessed the data on the USB keys before selling them, was immediately criticised over the auction. It also sparked the interest of the NSW Deputy Privacy Commissioner, John McAteer.Mr McAteer's office regulates privacy in the public service and said that since RailCorp was a public sector agency it had more stringent privacy obligations."We commenced our investigation on Friday and in the first instance RailCorp is going to answer a series of questions and based on the answers to those questions we'll look at what our next step in the investigation is – and if necessary we may speak to third parties to verify some of the answers," said Mr McAteer.It is understood that the privacy watchdog may speak to Sophos but the company is not under investigation as the NSW Privacy Commissioner only regulates public agencies.Mr McAteer said he would not jump to any conclusions however he was concerned RailCorp may have breached several sections of the NSW privacy laws concerning using and distributing personal information."If they weren't going to return [the USB keys] to the owners or destroy them they had an obligation to work out what was on there and if it was personal information they either had the obligation to cleanse it or to contact the person to whom it related," he said.Mr McAteer said contacting each individual owner of the USB keys was impractical and the obvious response would've been to destroy the USB keys.Mr McAteer said his investigation has "royal commission powers" and if a privacy breach is found he can make findings and recommendations but not fine agencies. However, he said individuals whose privacy had been breached could obtain damages from the Administrative Decisions Tribunal.However, Ducklin, in an email interview with this website, said he did not think RailCorp should be obliged to wipe the data on lost devices they sell "in much the same way that I don't think that ISPs should be obliged to watch your internet traffic and block pirated stuff"."Apparently NSW Privacy thinks RailCorp should be wiping the keys, but I think NSW Privacy should be frying bigger fish – notably companies which deliberately collect my data for their own commercial purposes, promise to look after it, and then don't," said Ducklin.Ducklin said if RailCorp was obliged to wipe the USB keys that would cost "way more" than they could be sold for. Already, Sophos paid about 50 per cent more than if they were bought new."Then they'll have to start destroying lost USB sticks instead. That would be an environmental shame – we're enough of a disposalist [sic] society already," he said.Ducklin ridiculed the idea that RailCorp could be expected to protect their customers from making IT blunders."What next? Will RailCorp be expected to police the trains looking for people using unsecured 3G wireless hotspots on their daily commute?For iPhone users who haven't set a device passcode?"Mr McAteer's response was succinct, pointing out that he can only regulate privacy for the public service."The 'bigger fish' are beyond the jurisdiction of my office. The law says they can't use the info so they should destroy them. That's the law," he said.RailCorp said it took the NSW Privacy Commissioner's concerns seriously and it would assist the office with its investigation."To ensure we continue to improve our processes RailCorp will be reviewing our guidelines regarding lost property prior to the next auction," a spokesman said.