Luxembourg Cybersecurity Study Reveals 18% of Lost USB Drives Are Plugged In Despite Modern Security Awareness

A cybersecurity study conducted by Didier Barzin (CISO at a Luxembourg hospital and creator of the open-source tool Mercator) and Cédric Moni (cybersecurity lead at a Luxembourg telco and president of Clusil, the Luxembourg information security club) assessed the risk of lost USB drives between 2022 and 2024. They distributed 240 harmless 4GB USB drives across Luxembourg, each embedded with a unique ID and an HTML disclaimer file that redirected users to a tracking website when opened. The study revealed an 18% hit rate, with 36 drives plugged into devices, some accessed within 30 minutes and others after 133 days, matching findings from similar research conducted a decade earlier. The experiment triggered a security incident at a university when 10 drives were lost at a single site, prompting a crisis response. Other drives were traced to users in neighboring countries including France, Germany, and Belgium, and even the U.S. via corporate VPNs. The project highlighted persistent human curiosity as a vulnerability, with no significant decline in risky behavior despite modern alternatives like cloud storage. Clusil, founded in 1996, supported the study to provide local data for risk assessments, emphasizing the ongoing threat of USB-based attacks, including malware, Rubber Ducky devices, and USB Killer hardware. The discussion also underscored the challenges of securing industrial systems where USB maintenance remains critical and the need for continuous user awareness.