A Corporate-issued Laptop Stolen From a Lenovo Employee in September Contained Unencrypted Payroll Data on APAC Staff

A corporate-issued laptop lifted from a Lenovo employee in Singapore contained a cornucopia of unencrypted payroll data on staff based in the Asia Pacific region, news outlet The Register reports. From the report: Details of the massive screw-up reached us from Lenovo staffers, who are simply bewildered at the monumental mistake. Lenovo has sent letters of shame to its employees confessing the security snafu. "We are writing to notify you that Lenovo has learned that one of our Singapore employees recently had the work laptop stolen on 10 September 2018," the letter from Lenovo HR and IT Security, dated 21 November, stated.

"Unfortunately, this laptop contained payroll information, including employee name, monthly salary amounts and bank account numbers for Asia Pacific employees and was not encrypted." Lenovo employs more than 54,000 staff worldwide, the bulk of whom are in China.

Whup tee doo

[goombah99]

When I worked for the Govt, all salary information was a public record. Earth did not stop spinning. Depending on how they obfuscate whatever the identity credentials are in their (in the US, that would be social security numbers) there might be some issue, but there's no enough information in the article tell

Re:

[Desler]

Interesting how you completely glossed over the bank account numbers part in the list of data.

Not a problem

[goombah99]

Interesting how you completely glossed over the bank account numbers part in the list of data.

every time you write a check or pay by ACH or deposit a check or use your debit card you tell someone your bank account number. This is not a problem

Re:

[tripleevenfall]

Yes but I don't provide a list of everyone's bank account numbers to the entire world when I use my debit card.

Lots of people do

[goombah99]

Charity drives, funeral collections, and alike broadcast account numbers in the open for people to deposit to.

for example

[goombah99]

here's a portal providng lists of ACH numbers
http://hcacaring.org/util/docu... [hcacaring.org]

Re:

[Desler]

You seem to be missing the difference between something given out volunatarily vs something being leaked without authoriization. Are you really that fucking dense or just intentionally trolling?

Re:

[EvilSurfinCow]

Depending on where you are, your bank account number being public isn't a big deal. In Finland for an example, if someone wants to send me money, I give them my bank account number and they send it directly from their bank account to mine. I pay my bills by sending the payment to the companies bank account number. When I need to pay rent, I send it directly to the owners bank account. The worst thing that can happen is someone can send YOU money. Has nothing to do with the ability to remove funds or set up

Not everything is private

[goombah99]

Your face, age weight, aren't tens of thousands of people already have your bank account number since you paid your bills with a check. It's in data bases anyone can purchase.

Re:

[rickb928]

It's about the debit function. Most consumer accounts don't permit that in the US.

Oh, wait, actually, they do.

Why not ask the question - why, why does an employee need payroll ACH data on their laptop? Really, why?

Oh, and of course, in my work this would have been a nothingburger. My laptop has an encrypted HD, this data would always have been delivered either by secure email (a web based gizmo, encrypted and password protected access) or encrypted cloud drive which grants access by invitation only, and the

Re: Lots of people do

[rickb928]

Mine is just Bit locker, AES 256. It will have to do. FIPS wouldn't be appropriate anyway.

Re:

[I75BJC]

That's only Mostly correct (and therefore, your not correct). Electronic checks (ACH) from my bank do not bear my account details. Nor does my debit card bear my account details. Even if they did, I still do not want my account details stolen, leaked or release by a third party. If I chose to give my data, that is okay; if I don't make that choice myself, that is bad. What happened was not a choice these account holders made.

Re:

[Desler]

What relevance does that have to anything? This situation and a situation where I have chosen to give a vendor my banking details are not even remotely comparable.

Re:

[Desler]

Ok. Well then please provide me your bank account number. It's not a problem, right?

Re:

[goombah99]

888173401

Have fun!

Re:

[Desler]

Yeah having the employees' bank account numbers leak is pretty beneficial. Uhhh... not.

Secret payroll data only benefits the company

[sjbe]

So in other words, this may be a rare leak that hurts the company, and benefits employees. Generally when employees find out other people's salaries, they aren't mad at the other employees, they're mad at the company and demand raises.

I actually saw something like this a while back. A secretary at our company was photocopying payroll data including pay rates for all the employees on the campus. She accidentally left it on the copier. By the time she realized her mistake and can scurrying back to get it, it had already been copied and distributed and soon enough was posted prominently around the building. So everyone knew what everyone else was making and the company had a lot of explaining to do for certain... discrepancies.

I've always been puzzled why employees are so willing to go along with not sharing their pay data since keeping it a secret generally only benefits the company.

It depends on where you think you rank

[raymorris]

> I've always been puzzled why employees are so willing to go along with not sharing their pay data since keeping it a secret generally only benefits the company.

Often, a manager is budgeted a certain amount of money for raises. Employees are competing with each other for chunks of the budget.

If you have more experience, or more valuable experience, than your direct boss it might be good to keep quiet. It can be harder to get a raise when your boss knows you already make more than they do, and they think

Re:

[drinkypoo]

In the end, what matters to me is paying my bills. How much a co-worker makes doesn't matter to me.

All I want is what's fair. And what's fair is based on work output. And if someone else is putting out a lot less than me but getting more, then I want more. To me this is like how Ohio can have fancy Botts' Dots that don't get scraped off by snowplows but here in California we have to put them into holes instead because we are paying for Ohio's road maintenance. They get more back from the feds than they send, we get less. Then they spend it on stuff we can't afford because we have to subsidize them. The e

Fair is in the eye of the beholder

[sjbe]

All I want is what's fair. And what's fair is based on work output.

Is it really? Fair is a VERY nebulous term. Work output can be one measure of fair but not the only one and sometimes not the most important one and sometime it is impossible to determine. Work output can be extremely difficult to objectively measure for some jobs. If you're making widgets on an assembly line it's pretty easy but most jobs are not that easy to measure. What units do you measure the productivity of a secretary answering phone calls with that would be useful in comparison to an engineer

Re:

[drinkypoo]

Someone is always going to be below average but evidently you missed the memo that business is a team sport and it's not a zero sum game. Help your fellow man and you can both benefit more than you might otherwise.

I deserve help too, just as much as they do. Hell, maybe more. I'm underprivileged in more ways than in which I'm privileged. The under-performers consistently seem to be the most over-privileged, from where I'm sitting. They got more whether they deserved it or not, so they feel like they deserve more whether they earn it or not.

Also, as long as we behave unsustainably, then capitalism is a negative-sum game. I want to enjoy my life while life remains enjoyable, and I can better do that if I am equitably r

Playing employees off against each other

[sjbe]

If you have more experience, or more valuable experience, than your direct boss it might be good to keep quiet.

That's just the company playing employees off against each other. Experience doesn't mean shit. Performance does. If someone is doing the same job and getting the same results then they should be getting paid the same. Going to a fancy school or what you did in a previous job does-not/should-not matter. Again, this is something that in most cases benefits the company to the detriment of some/most/all of the workers. And if the boss can't justify a pay disparity with an explanation based in some kind o

Don't should all over yourself

[raymorris]

> Experience doesn't mean shit. Performance does. If someone is doing the same job and getting the same results then they should be getting paid the same.

You can "should" all you want, but these are the facts.
If Linus's resume has the experience "I created Linux and managed it for 20 years", he's going to be able to get a certain salary.
If Bob's resume shows his experience is "I saw a Linux computer once", he's going to be able to get a certain salary.

Bob can whine all day about "my code is just as good,

Why is this even possible today?

[Luthair]

Why does the system even allow people to download this sort of data?

Re:

[Luthair]

The drive being unecrypted doesn't shock me. Think of the number of people who forget their passwords.

Re:

[bill_mcgonigle]

Encrypted hard drives prevent those idiots' lost computers from causing massive data breaches.

Lenovo needs to ask itself why it's not trivially easy to deploy their laptops with drive encryption enabled by default.

Re:

[Opportunist]

Umm... it is?

The question is rather, why don't they eat their own dogfood?

Re:

[pgmrdlm]

I was wondering this also. I work for a large utility. All of our laptops/tough books/desk tops are encrypted at the hard drive level.

Re:

[pgmrdlm]

Ahhh, the pussy liberal that whores themselves out the infected cock is heard from again. Keep fucking that infected cock pussy liberal. soon you will die a slow death from disease that there will be no cure for. Hope to piss on your grave soon.

Re:

[known_coward_69]

some people just don't understand. my wife deals with HIPAA stuff and has left stuff in the car she shouldn't have. I tell her she can get in a lot of trouble for doing so, but it's too much effort to carry a laptop for some people.

Meh; been there done that.

[RevRagnarok]

https://yro.slashdot.org/story... [slashdot.org]

I hope this is a new trend - but release the data!

[Seven Spirals]

Companies are always so tight with their pay grades. They don't want the plebs to know *exactly* how much the C-level folks are fucking them. They don't want the chicks to know how many guys are making 2x as they make in the same job. They don't want the guy who just keeps his head down to perk up and wonder why all the loudmouth assholes make more than him but do less. Hack these corporate bastards and post their pay levels on every pastebin and blog you can find. The corporate feudal dickheads hate when their payroll figures are released, which can only mean it's a good thing.

Re:

[account_deleted]

Comment removed based on user account deletion

What!?!?

[erp_consultant]

Any employer issued laptop should have the entire hard drive encrypted. The fact that it wasn't is not the fault of the employee who's laptop got stolen. It is the fault of the IT department and, ultimately, senior management.

Re:

[Only Time Will Tell]

I highly agree. I'm surprised there are companies or entities that don't make hard drive encryption mandatory. It is all too common a laptop goes missing or is stolen and has some form of company sensitive or customer personal information on it. The default position of an IT department is that it WILL be stolen and work back from there on protections of the data.

Re:

[thegarbz]

Any employer issued laptop should have the entire hard drive encrypted. The fact that it wasn't is not the fault of the employee who's laptop got stolen. It is the fault of the IT department and, ultimately, senior management.

It's only 2018 give Lenovo a break. It's not like they know anything about computers.

I'm curious what they mean by unencrypted

[SmaryJerry]

Are most laptops not encrypted by default (behind a password)? Or are they saying that if the person gains access by guessing or brute forcing the password then the files themselves are un encypted?

Re:

[Kelerei]

Or are they saying that if the person gains access by guessing or brute forcing the password then the files themselves are un encypted?

Doesn't even need to be that -- if I gain physical access to your laptop, there's nothing stopping me bypassing your password entirely by simply removing your laptop's hard drive and plugging it into my own system. Which is likely what happened in this case. Your password controls access to the operating system and everything running on it, but when it comes to the underlying file system, it does sweet fuck all.

Thankfully, there are plenty of tools to do that in this day of age. All non-Home editions of