Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Corporate-issued Laptop Stolen From a Lenovo Employee in September Contained Unencrypted Payroll Data on APAC Staff (theregister.co.uk)

Posted by msmash on from the oops dept.

A corporate-issued laptop lifted from a Lenovo employee in Singapore contained a cornucopia of unencrypted payroll data on staff based in the Asia Pacific region, news outlet The Register reports. From the report: Details of the massive screw-up reached us from Lenovo staffers, who are simply bewildered at the monumental mistake. Lenovo has sent letters of shame to its employees confessing the security snafu. "We are writing to notify you that Lenovo has learned that one of our Singapore employees recently had the work laptop stolen on 10 September 2018," the letter from Lenovo HR and IT Security, dated 21 November, stated.

"Unfortunately, this laptop contained payroll information, including employee name, monthly salary amounts and bank account numbers for Asia Pacific employees and was not encrypted." Lenovo employs more than 54,000 staff worldwide, the bulk of whom are in China.

65 comments

  1. Whup tee doo by goombah99 · · Score: 1

    When I worked for the Govt, all salary information was a public record. Earth did not stop spinning. Depending on how they obfuscate whatever the identity credentials are in their (in the US, that would be social security numbers) there might be some issue, but there's no enough information in the article tell

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Whup tee doo by Desler · · Score: 3, Informative

      Interesting how you completely glossed over the bank account numbers part in the list of data.

  2. May actually benefit employees. by Anonymous Coward · · Score: 0


      including employee name, monthly salary amounts
    So in other words, this may be a rare leak that hurts the company, and benefits employees. Generally when employees find out other people's salaries, they aren't mad at the other employees, they're mad at the company and demand raises.

    So, laptop thief, care to release the payroll data?

    1. Re: May actually benefit employees. by Anonymous Coward · · Score: 0

      Too funny

    2. Re:May actually benefit employees. by Desler · · Score: 1

      Yeah having the employees' bank account numbers leak is pretty beneficial. Uhhh... not.

  3. Mai Pei Lo says they are not happy by Anonymous Coward · · Score: 0

    Give me your bank account and routing number and I'll put 5 million in there right away for you to hold for me!

  4. Why is this even possible today? by Luthair · · Score: 1

    Why does the system even allow people to download this sort of data?

    1. Re:Why is this even possible today? by Anonymous Coward · · Score: 0

      Because executives, and travelling employees demand it, or they demand remote access (almost as bad). The people that use it the most are usually overworked staff putting in hours at home. Why was the drive unencrypted? That could be either lazy, or understaffed IT department. Either way IT will get thrown under the bus for sure.

    2. Re:Why is this even possible today? by Luthair · · Score: 1

      The drive being unecrypted doesn't shock me. Think of the number of people who forget their passwords.

    3. Re:Why is this even possible today? by Anonymous Coward · · Score: 0

      Or it was BitLocker encrypted, then the TPM started screwing up, and the only way to get the computer to work again was to shut off BitLocker and hope nobody stole it.

  5. No security system survives... by Anonymous Coward · · Score: 0

    No security system survives idiot employees who just email excel sheets to each other.

    1. Re:No security system survives... by bill_mcgonigle · · Score: 1

      Encrypted hard drives prevent those idiots' lost computers from causing massive data breaches.

      Lenovo needs to ask itself why it's not trivially easy to deploy their laptops with drive encryption enabled by default.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:No security system survives... by Opportunist · · Score: 1

      Umm... it is?

      The question is rather, why don't they eat their own dogfood?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:No security system survives... by known_coward_69 · · Score: 1

      some people just don't understand. my wife deals with HIPAA stuff and has left stuff in the car she shouldn't have. I tell her she can get in a lot of trouble for doing so, but it's too much effort to carry a laptop for some people.

    4. Re:No security system survives... by pgmrdlm · · Score: 1

      I was wondering this also. I work for a large utility. All of our laptops/tough books/desk tops are encrypted at the hard drive level.

      --
      Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
    5. Re:No security system survives... by Anonymous Coward · · Score: 0

      You work for Putin, faggot TRAITOR. You should be ground up to the dog food level.

    6. Re:No security system survives... by pgmrdlm · · Score: 1

      Ahhh, the pussy liberal that whores themselves out the infected cock is heard from again. Keep fucking that infected cock pussy liberal. soon you will die a slow death from disease that there will be no cure for. Hope to piss on your grave soon.

      --
      Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
  6. Meh; been there done that. by RevRagnarok · · Score: 1

    https://yro.slashdot.org/story...

    --
    I should put something clever here. Maybe someday.
  7. Secret payroll data only benefits the company by sjbe · · Score: 5, Insightful

    So in other words, this may be a rare leak that hurts the company, and benefits employees. Generally when employees find out other people's salaries, they aren't mad at the other employees, they're mad at the company and demand raises.

    I actually saw something like this a while back. A secretary at our company was photocopying payroll data including pay rates for all the employees on the campus. She accidentally left it on the copier. By the time she realized her mistake and can scurrying back to get it, it had already been copied and distributed and soon enough was posted prominently around the building. So everyone knew what everyone else was making and the company had a lot of explaining to do for certain... discrepancies.

    I've always been puzzled why employees are so willing to go along with not sharing their pay data since keeping it a secret generally only benefits the company.

  8. Not a problem by goombah99 · · Score: 1

    Interesting how you completely glossed over the bank account numbers part in the list of data.

    every time you write a check or pay by ACH or deposit a check or use your debit card you tell someone your bank account number. This is not a problem

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Not a problem by tripleevenfall · · Score: 1

      Yes but I don't provide a list of everyone's bank account numbers to the entire world when I use my debit card.

    2. Re:Not a problem by I75BJC · · Score: 2

      That's only Mostly correct (and therefore, your not correct). Electronic checks (ACH) from my bank do not bear my account details. Nor does my debit card bear my account details. Even if they did, I still do not want my account details stolen, leaked or release by a third party. If I chose to give my data, that is okay; if I don't make that choice myself, that is bad. What happened was not a choice these account holders made.

    3. Re:Not a problem by Desler · · Score: 1

      Ok. Well then please provide me your bank account number. It's not a problem, right?

    4. Re:Not a problem by Anonymous Coward · · Score: 0

      How do you think the funds get transferred if they don't have your ACH number?

    5. Re:Not a problem by goombah99 · · Score: 1

      888173401

      Have fun!

      --
      Some drink at the fountain of knowledge. Others just gargle.
    6. Re:Not a problem by Desler · · Score: 1

      What relevance does that have to anything? This situation and a situation where I have chosen to give a vendor my banking details are not even remotely comparable.

    7. Re:Not a problem by Anonymous Coward · · Score: 0

      we need your name as well, and the banking institution you use, as well as their routing number please.
      ironically, the captcha is "iceberg"

    8. Re:Not a problem by Anonymous Coward · · Score: 0

      It's all provided on my homepage for people who would like to donate to me. What's wrong with that?

  9. Bitlocker everything! by Anonymous Coward · · Score: 0

    You need to Bitlocker Encrypt your stuff.

    Ask Microsoft Premier to assist with MBAM Deployment.

  10. Don't have electronic security training ? by Anonymous Coward · · Score: 0

    If your place of business does not have mandatory training for employees that handle confidential and financial data, then they're doing it wrong.

    Now if an employee doesn't follow the guidelines provided, which happens pretty often, then disciplinary measures are appropriate.

  11. It depends on where you think you rank by raymorris · · Score: 2

    > I've always been puzzled why employees are so willing to go along with not sharing their pay data since keeping it a secret generally only benefits the company.

    Often, a manager is budgeted a certain amount of money for raises. Employees are competing with each other for chunks of the budget.

    If you have more experience, or more valuable experience, than your direct boss it might be good to keep quiet. It can be harder to get a raise when your boss knows you already make more than they do, and they think they should get that chunk of the salary budget. Similarly for peer employees who may have been at the company longer, but perhaps are less productive or have less specialized skills.

    The last time I switched jobs, one company that wanted to hire me increased their offer by 25% to compete with the other company that wanted me. I'm sure that 25% increase in the offer would put my salary higher than many of my co-workers. It would have been in my best interest to take the money and be quiet, while doing good work to earn a raise a year later. Publicizing to all of my co-workers that I was being paid much more than them wouldn't have been helpful to me.

    On the contrary, if you think other employees with lower qualifications are being paid more, sure that could be an argument for you getting a raise. If you can show that you're better qualified and more productive than Bob, you can argue that that your salary should be at least as high as Bob's. So it depends on where you think you are on the scale, near the top or near the bottom.

    On the third hand, if you're making less than Sally, finding that out might only piss you off. If you ask the boss "why does Sally get paid more than me?", the answer might be "because Sally isn't an idiot. Sally can write an email and actually know the meaning of the words she uses". :)

    In the end, what matters to me is paying my bills. How much a co-worker makes doesn't matter to me. For comparing my pay to what I could be making, I can compare to industry averages etc. A few data points of co-workers doesn't tell me as much as industry statistics, particularly because none of my co-workers has exactly the same qualifications as I. It's more useful for me to compare industry averages for people with similar qualifications.

    1. Re:It depends on where you think you rank by drinkypoo · · Score: 0

      In the end, what matters to me is paying my bills. How much a co-worker makes doesn't matter to me.

      All I want is what's fair. And what's fair is based on work output. And if someone else is putting out a lot less than me but getting more, then I want more. To me this is like how Ohio can have fancy Botts' Dots that don't get scraped off by snowplows but here in California we have to put them into holes instead because we are paying for Ohio's road maintenance. They get more back from the feds than they send, we get less. Then they spend it on stuff we can't afford because we have to subsidize them. The exact same thing happens when your coworkers are overpaid. There's only so much money budgeted for salaries and every dollar an underperformer is paid effectively represents a dollar stolen from all of the employees who are actually doing their jobs.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re: It depends on where you think you rank by Anonymous Coward · · Score: 0

      Fucking loser. U get what you take

    3. Re:It depends on where you think you rank by Anonymous Coward · · Score: 0

      My google's broken. Fix it asshole.

  12. I hope this is a new trend - but release the data! by Seven+Spirals · · Score: 2

    Companies are always so tight with their pay grades. They don't want the plebs to know *exactly* how much the C-level folks are fucking them. They don't want the chicks to know how many guys are making 2x as they make in the same job. They don't want the guy who just keeps his head down to perk up and wonder why all the loudmouth assholes make more than him but do less. Hack these corporate bastards and post their pay levels on every pastebin and blog you can find. The corporate feudal dickheads hate when their payroll figures are released, which can only mean it's a good thing.

  13. Lots of people do by goombah99 · · Score: 1

    Charity drives, funeral collections, and alike broadcast account numbers in the open for people to deposit to.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Lots of people do by Desler · · Score: 1

      You seem to be missing the difference between something given out volunatarily vs something being leaked without authoriization. Are you really that fucking dense or just intentionally trolling?

    2. Re:Lots of people do by rickb928 · · Score: 2

      It's about the debit function. Most consumer accounts don't permit that in the US.

      Oh, wait, actually, they do.

      Why not ask the question - why, why does an employee need payroll ACH data on their laptop? Really, why?

      Oh, and of course, in my work this would have been a nothingburger. My laptop has an encrypted HD, this data would always have been delivered either by secure email (a web based gizmo, encrypted and password protected access) or encrypted cloud drive which grants access by invitation only, and the file itself would be encrypted.

      Unless someone ignored at least two different policies and procedures, and the HD encryption would be difficult to overcome, being a corporate implementation with certificates and the whole schmeel.

      Really, so many fails, but the one that stands out was the excess data. Overall, I cannot imagine having similar data on my laptop. It would be on my corp. cloud drive. I do not want to be on the front page of the fishwrap for this.Ever.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    3. Re:Lots of people do by EvilSurfinCow · · Score: 1

      Depending on where you are, your bank account number being public isn't a big deal. In Finland for an example, if someone wants to send me money, I give them my bank account number and they send it directly from their bank account to mine. I pay my bills by sending the payment to the companies bank account number. When I need to pay rent, I send it directly to the owners bank account. The worst thing that can happen is someone can send YOU money. Has nothing to do with the ability to remove funds or set up some liability against my account.

    4. Re:Lots of people do by Anonymous Coward · · Score: 0

      you do know that most of the drives sold with FIPS encryption turned out to be hackable right? unless you bought one in the last month.

    5. Re: Lots of people do by rickb928 · · Score: 1

      Mine is just Bit locker, AES 256. It will have to do. FIPS wouldn't be appropriate anyway.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    6. Re: Lots of people do by Anonymous Coward · · Score: 0

      If your bitlocker implements the hardware encryption rather than rolling it's own, it's not secure anymore.

  14. What!?!? by erp_consultant · · Score: 3, Insightful

    Any employer issued laptop should have the entire hard drive encrypted. The fact that it wasn't is not the fault of the employee who's laptop got stolen. It is the fault of the IT department and, ultimately, senior management.

    1. Re:What!?!? by Anonymous Coward · · Score: 0

      It was not a Thinkpad, it was one of those Lenovo-branded trash (yoga, etc). So, all it did was rot13 "encription"...

    2. Re:What!?!? by Only+Time+Will+Tell · · Score: 1

      I highly agree. I'm surprised there are companies or entities that don't make hard drive encryption mandatory. It is all too common a laptop goes missing or is stolen and has some form of company sensitive or customer personal information on it. The default position of an IT department is that it WILL be stolen and work back from there on protections of the data.

    3. Re:What!?!? by thegarbz · · Score: 1

      Any employer issued laptop should have the entire hard drive encrypted. The fact that it wasn't is not the fault of the employee who's laptop got stolen. It is the fault of the IT department and, ultimately, senior management.

      It's only 2018 give Lenovo a break. It's not like they know anything about computers.

  15. for example by goombah99 · · Score: 1

    here's a portal providng lists of ACH numbers
    http://hcacaring.org/util/docu...

    --
    Some drink at the fountain of knowledge. Others just gargle.
  16. Playing employees off against each other by sjbe · · Score: 0

    If you have more experience, or more valuable experience, than your direct boss it might be good to keep quiet.

    That's just the company playing employees off against each other. Experience doesn't mean shit. Performance does. If someone is doing the same job and getting the same results then they should be getting paid the same. Going to a fancy school or what you did in a previous job does-not/should-not matter. Again, this is something that in most cases benefits the company to the detriment of some/most/all of the workers. And if the boss can't justify a pay disparity with an explanation based in some kind of evidence of performance then that's a problem.

    In the end, what matters to me is paying my bills. How much a co-worker makes doesn't matter to me.

    Really? If you are doing the same work and getting paid less for it that wouldn't bother you? You might feel very differently if you were a woman or minority and getting paid less than your white male colleagues - that happens all the time. My wife works with some people who just ran into that. They didn't know they were being paid less than a male in their company even though they did the same work with similar to better results and some had longer tenure with the company and more experience. When this was discovered they were justifiably pissed and it could have resulted in a lawsuit. (the company to their credit fixed the problem as soon as it was realized)

  17. Fair is in the eye of the beholder by sjbe · · Score: 1

    All I want is what's fair. And what's fair is based on work output.

    Is it really? Fair is a VERY nebulous term. Work output can be one measure of fair but not the only one and sometimes not the most important one and sometime it is impossible to determine. Work output can be extremely difficult to objectively measure for some jobs. If you're making widgets on an assembly line it's pretty easy but most jobs are not that easy to measure. What units do you measure the productivity of a secretary answering phone calls with that would be useful in comparison to an engineer designing a widget? Both jobs need to be done and not everything can be or should be ranked. Companies with rank and yank systems don't tend to do very well in the long run because of the resentment and fear such systems instill.

    To me this is like how Ohio can have fancy Botts' Dots that don't get scraped off by snowplows but here in California we have to put them into holes instead because we are paying for Ohio's road maintenance.

    And I pay more money into our health care system than the value of care I receive so that my grandmother can get her health care paid for. That's not a bad thing. Some pay more so we all benefit. Someday my turn will come for someone to support me. You are trying to justify selfishness as some sort of virtue even though it results in a worse outcome for more people. California's well being depends in no tiny part on the well being of Ohio (and Michigan and Alabama and...). Sometimes California gives and sometimes they receive. That's what being in a society is about - we cooperate and support each other. At one time Ohio had a bigger population and bigger economy than California. By your argument California should have gone begging.

    There's only so much money budgeted for salaries and every dollar an underperformer is paid effectively represents a dollar stolen from all of the employees who are actually doing their jobs.

    Again with the selfishness. Someone is always going to be below average but evidently you missed the memo that business is a team sport and it's not a zero sum game. Help your fellow man and you can both benefit more than you might otherwise.

    1. Re:Fair is in the eye of the beholder by drinkypoo · · Score: 1

      Someone is always going to be below average but evidently you missed the memo that business is a team sport and it's not a zero sum game. Help your fellow man and you can both benefit more than you might otherwise.

      I deserve help too, just as much as they do. Hell, maybe more. I'm underprivileged in more ways than in which I'm privileged. The under-performers consistently seem to be the most over-privileged, from where I'm sitting. They got more whether they deserved it or not, so they feel like they deserve more whether they earn it or not.

      Also, as long as we behave unsustainably, then capitalism is a negative-sum game. I want to enjoy my life while life remains enjoyable, and I can better do that if I am equitably rewarded for my efforts. If someone else is getting paid more because they're blowing the boss or whatever, I don't give a shit about the blowjobs — I just want that money. They can trade blowjobs for money on their own time, and someone else's dime.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  18. Re: Butt Buddies. by Anonymous Coward · · Score: 0

    Haven't learned much in your fifteen years, have you.

  19. I'm curious what they mean by unencrypted by SmaryJerry · · Score: 1

    Are most laptops not encrypted by default (behind a password)? Or are they saying that if the person gains access by guessing or brute forcing the password then the files themselves are un encypted?

    1. Re:I'm curious what they mean by unencrypted by Kelerei · · Score: 1

      Or are they saying that if the person gains access by guessing or brute forcing the password then the files themselves are un encypted?

      Doesn't even need to be that -- if I gain physical access to your laptop, there's nothing stopping me bypassing your password entirely by simply removing your laptop's hard drive and plugging it into my own system. Which is likely what happened in this case. Your password controls access to the operating system and everything running on it, but when it comes to the underlying file system, it does sweet fuck all.

      Thankfully, there are plenty of tools to do that in this day of age. All non-Home editions of Windows since Vista come with BitLocker, which provides full disk encryption, and the Lenovo-issued corporate laptop would likely have had this tool available (not having it, or an open-source equivalent, enabled is a monumental failure of Lenovo's internal IT policies). There's also VeraCrypt for the open-source world (people I know who have used it speak of it highly), and Wikipedia has a lengthy comparison of disk encryption software if you're interested further.

  20. Don't should all over yourself by raymorris · · Score: 1

    > Experience doesn't mean shit. Performance does. If someone is doing the same job and getting the same results then they should be getting paid the same.

    You can "should" all you want, but these are the facts.
    If Linus's resume has the experience "I created Linux and managed it for 20 years", he's going to be able to get a certain salary.
    If Bob's resume shows his experience is "I saw a Linux computer once", he's going to be able to get a certain salary.

    Bob can whine all day about "my code is just as good, I *should* make just as much as Linus", but that's not reality. Reality is your qualifications, your education, expertise, demonstrated results, and communication skills determine how much competing companies will offer you, and therefore how much your company needs to pay to keep you.

    You can think all day that your performance is as good as mine in designing security controls, but because I have proven experience and skills in that area, I'm going to get better job offers than you in that field. That's reality.

    1. Re: Don't should all over yourself by Anonymous Coward · · Score: 0

      That is the old racist way of running a business. The new equally inclusive way of running business today is to suck up to you boss to advance. Working hard and doing well just get you shitted upon. In the past the boss was responsible for the companies performance, so he had an interest in ensuring peope who actually were helping the company got advanced and the brown nosers were kept at bay.

      Today not even the boss is held responsible for the companies performance. They did not build the company and were handed the job for having graduated from some elite liberals school and growing up with other elites. When the company tanks they get on their golden parachute move to a different industru and fuck up the next company

  21. Re:I hope this is a new trend - but release the da by AndrewFlagg · · Score: 1

    no biggee. i did that once accidentally on a team level review communication (a Microsoft bug in Excel OLE) and then realized it certainly did settle down what they already knew. who gets paid what for who does the work, and those that just show up and get paid.. paid for performance, not seniority... i could not fire someone directly because of HR and their stupid rules of rehabilitation due to poor performance, at first I thought.. oh my.. but then I realized, well, it just shows my good judgement.. there. now would everyone shut up and realize, you get paid for what you do... i just proved it... if you don't like it... go get a different job...

  22. Chinese Spy Oops! by Anonymous Coward · · Score: 0

    Yer fuckt America. The chink spies are three or four levels deep now.

  23. Wait, hold on a second... by Anonymous Coward · · Score: 0

    corporate-issued laptop lifted from a Lenovo employee in Singapore

    ... there was a crime in Singapore?!?

  24. ORLY by Anonymous Coward · · Score: 0

    LENOVO screwing up? You gotta be kidding!

  25. Not everything is private by goombah99 · · Score: 1

    Your face, age weight, aren't tens of thousands of people already have your bank account number since you paid your bills with a check. It's in data bases anyone can purchase.

    --
    Some drink at the fountain of knowledge. Others just gargle.