Security firm Sophos analysed a large number of USB sticks lost on an Australian rail network and found that over two-thirds were infected with malware.
Snapping up 57 USB keys at auction, the security researcher analysed the contents and found that out of the keys, which ranged from 256MB to 8GB in size, none of them were encrypted.
"We found 62 infected files in total. The worst key contained six infected files, representing four separate items of malware," Sophos research Paul Ducklin posted on the Naked Security blog.
"The good part is that we didn't find any obvious "smoking guns" on any of the 50 keys. There were no visible plans for nuclear submarines, no insider trading tips, no credit card dumps and no criminal plots," Ducklin added.
"The bad part of this is that even with the most cursory automated analysis, we were able to reveal a good deal of personal information about many of the people who had lost these keys, and about their families, friends and colleagues."
Sophos recommended that users encrypt USB keys for just such occasions. The company also provides a free encryption tool.