The sale of 50 lost USB thumb drives to Sophos has resulted in an investigation by Australian authorities into the rail network operator.
New South Wales privacy commissioner John McAlteer said that RailCop "had an obligation to work out what was on there and if it was personal information they either had the obligation to cleanse it or to contact the person to whom it related."
As the privacy watchdog only has a mandate for public agencies, Sophos aren't expected to be in the frame of the investigation.
Sophos technology chief Paul Ducklin analysed the contents of the drives and found that most were infected with malware. Ducklin told the Sydney Morning Herald that should be "frying bigger fish" rather than going after RailCorp.
Ducklin also said the rail network couldn't be expected to be responsible for security mistakes made by their customers.
"What next? Will RailCorp be expected to police the trains looking for people using unsecured 3G wireless hotspots on their daily commute?" he asked.