Police have apologised after giving infected memory sticks as prizes in a government-run cyber-security quiz.
Taiwan’s national police agency said 54 of the flash drives it gave out at an event highlighting a government’s cybercrime crackdown contained malware.
The virus, which can steal personal data and has been linked to fraud, was added inadvertently, it said.
The Criminal Investigation Bureau (CIB) apologised for the error and blamed the mishap on a third-party contractor.
It said 20 of the drives had been recovered.
Around 250 flash drives were given out at the expo, which was hosted by Taiwan’s Presidential Office from 11-15 December and aimed to highlight the government’s determination to crack down on cybercrime.
All the drives were manufactured in China but the CIB ruled out state-sponsored espionage, saying instead that the bug had originated from a Taiwan-based supplier.
It said a single employee at the firm had transferred data onto 54 of the drives to “test their storage capacity”, infecting them in the process.
The malware, identified as the XtbSeDuA.exe program, was designed to collect personal data and transmit it to a Polish IP address which then bounces it to unidentified servers.
The CIB said it had been used by a cyber-fraud ring uncovered by Europol in 2015.
Only older, 32-bit computers are vulnerable to the bug and common anti-virus software can detect and quarantine it, it said.
The server involved in the latest infections had been shut down, it said.
In May, IBM admitted it had inadvertently shipped malware-infected flash drives to some customers.
The computer maker said drives containing its Storwize storage system had been infected with a trojan and urged customers to destroy them.
At the time, it declined to comment on how the malware ended up on the flash drives or how many customers had been affected.
The trojan, part of the Reconyc family, bombards users with pop-ups and slows down computer systems.
It is known to target users in Russia and India.