Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Security IT

A Corporate-issued Laptop Stolen From a Lenovo Employee in September Contained Unencrypted Payroll Data on APAC Staff (theregister.co.uk) 65

A corporate-issued laptop lifted from a Lenovo employee in Singapore contained a cornucopia of unencrypted payroll data on staff based in the Asia Pacific region, news outlet The Register reports. From the report: Details of the massive screw-up reached us from Lenovo staffers, who are simply bewildered at the monumental mistake. Lenovo has sent letters of shame to its employees confessing the security snafu. "We are writing to notify you that Lenovo has learned that one of our Singapore employees recently had the work laptop stolen on 10 September 2018," the letter from Lenovo HR and IT Security, dated 21 November, stated.

"Unfortunately, this laptop contained payroll information, including employee name, monthly salary amounts and bank account numbers for Asia Pacific employees and was not encrypted." Lenovo employs more than 54,000 staff worldwide, the bulk of whom are in China.

This discussion has been archived. No new comments can be posted.

A Corporate-issued Laptop Stolen From a Lenovo Employee in September Contained Unencrypted Payroll Data on APAC Staff

Comments Filter:
  • When I worked for the Govt, all salary information was a public record. Earth did not stop spinning. Depending on how they obfuscate whatever the identity credentials are in their (in the US, that would be social security numbers) there might be some issue, but there's no enough information in the article tell

    • Re: (Score:3, Informative)

      by Desler ( 1608317 )

      Interesting how you completely glossed over the bank account numbers part in the list of data.

      • Interesting how you completely glossed over the bank account numbers part in the list of data.

        every time you write a check or pay by ACH or deposit a check or use your debit card you tell someone your bank account number. This is not a problem

        • Yes but I don't provide a list of everyone's bank account numbers to the entire world when I use my debit card.

          • Charity drives, funeral collections, and alike broadcast account numbers in the open for people to deposit to.

            • here's a portal providng lists of ACH numbers
              http://hcacaring.org/util/docu... [hcacaring.org]

            • by Desler ( 1608317 )

              You seem to be missing the difference between something given out volunatarily vs something being leaked without authoriization. Are you really that fucking dense or just intentionally trolling?

              • Depending on where you are, your bank account number being public isn't a big deal. In Finland for an example, if someone wants to send me money, I give them my bank account number and they send it directly from their bank account to mine. I pay my bills by sending the payment to the companies bank account number. When I need to pay rent, I send it directly to the owners bank account. The worst thing that can happen is someone can send YOU money. Has nothing to do with the ability to remove funds or set up
              • Your face, age weight, aren't tens of thousands of people already have your bank account number since you paid your bills with a check. It's in data bases anyone can purchase.

            • It's about the debit function. Most consumer accounts don't permit that in the US.

              Oh, wait, actually, they do.

              Why not ask the question - why, why does an employee need payroll ACH data on their laptop? Really, why?

              Oh, and of course, in my work this would have been a nothingburger. My laptop has an encrypted HD, this data would always have been delivered either by secure email (a web based gizmo, encrypted and password protected access) or encrypted cloud drive which grants access by invitation only, and the

        • by I75BJC ( 4590021 )
          That's only Mostly correct (and therefore, your not correct). Electronic checks (ACH) from my bank do not bear my account details. Nor does my debit card bear my account details. Even if they did, I still do not want my account details stolen, leaked or release by a third party. If I chose to give my data, that is okay; if I don't make that choice myself, that is bad. What happened was not a choice these account holders made.
        • by Desler ( 1608317 )

          Ok. Well then please provide me your bank account number. It's not a problem, right?

  • Why does the system even allow people to download this sort of data?
  • Companies are always so tight with their pay grades. They don't want the plebs to know *exactly* how much the C-level folks are fucking them. They don't want the chicks to know how many guys are making 2x as they make in the same job. They don't want the guy who just keeps his head down to perk up and wonder why all the loudmouth assholes make more than him but do less. Hack these corporate bastards and post their pay levels on every pastebin and blog you can find. The corporate feudal dickheads hate when their payroll figures are released, which can only mean it's a good thing.
  • What!?!? (Score:4, Insightful)

    by erp_consultant ( 2614861 ) on Friday December 14, 2018 @10:25AM (#57803280)

    Any employer issued laptop should have the entire hard drive encrypted. The fact that it wasn't is not the fault of the employee who's laptop got stolen. It is the fault of the IT department and, ultimately, senior management.

    • I highly agree. I'm surprised there are companies or entities that don't make hard drive encryption mandatory. It is all too common a laptop goes missing or is stolen and has some form of company sensitive or customer personal information on it. The default position of an IT department is that it WILL be stolen and work back from there on protections of the data.
    • Any employer issued laptop should have the entire hard drive encrypted. The fact that it wasn't is not the fault of the employee who's laptop got stolen. It is the fault of the IT department and, ultimately, senior management.

      It's only 2018 give Lenovo a break. It's not like they know anything about computers.

  • Are most laptops not encrypted by default (behind a password)? Or are they saying that if the person gains access by guessing or brute forcing the password then the files themselves are un encypted?
    • Or are they saying that if the person gains access by guessing or brute forcing the password then the files themselves are un encypted?

      Doesn't even need to be that -- if I gain physical access to your laptop, there's nothing stopping me bypassing your password entirely by simply removing your laptop's hard drive and plugging it into my own system. Which is likely what happened in this case. Your password controls access to the operating system and everything running on it, but when it comes to the underlying file system, it does sweet fuck all.

      Thankfully, there are plenty of tools to do that in this day of age. All non-Home editions of

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...