Here’s an important safety tip, courtesy of the Privacy Commissioner of Australia’s state of New South Wales: erasing data on a USB drive doesn’t mean it’s gone. Encrypting USB data is the only way to keep it safe.

RailCorp, the Sydney metropolitan commuter rail company, has stopped auctioning off unclaimed USB drives from its lost and found following an investigation by the commissioner’s office—triggered by a report in December by Paul Ducklin, the chief technology officer of computer security firm Sophos. The results of the investigation, reported on June 17 by Sophos, found the approach used by the company to “clean” the drives still left data that could be easily recovered, potentially exposing the original owners’ personal data.

Sophos researchers bought a lot of USB drives from an auction last September, and used automated analysis tools on 50 drives to see what they could find. The drives had been “cleaned” by RailCorp employees before auction using Windows’ “long format.” But while that made files inaccessible to casual browsing, it left the data intact and discoverable through file recovery tools. The company said using more thorough approaches to data removal was “economically unviable.” (During the course of the inquiry, RailCorp decided to cease auctioning off USB drives, and now destroys unclaimed drives).

Sophos found personal tax records, a resume and job application, and hundreds of other personal and work documents (including personal photos and other data). None of the USB drives found were encrypted, and two-thirds of the drives were infected with some form of malware. While assisting the Privacy Commissioner’s investigation, Sophos demonstrated that data recovery from USB drives could be completely automated, apart from plugging in and removing the drives.