A Corporate-issued Laptop Stolen From a Lenovo Employee in September Contained Unencrypted Payroll Data on APAC Staff

A corporate-issued laptop lifted from a Lenovo employee in Singapore contained a cornucopia of unencrypted payroll data on staff based in the Asia Pacific region, news outlet The Register reports. From the report: Details of the massive screw-up reached us from Lenovo staffers, who are simply bewildered at the monumental mistake. Lenovo has sent letters of shame to its employees confessing the security snafu. "We are writing to notify you that Lenovo has learned that one of our Singapore employees recently had the work laptop stolen on 10 September 2018," the letter from Lenovo HR and IT Security, dated 21 November, stated.

"Unfortunately, this laptop contained payroll information, including employee name, monthly salary amounts and bank account numbers for Asia Pacific employees and was not encrypted." Lenovo employs more than 54,000 staff worldwide, the bulk of whom are in China.

Re:Whup tee doo

[Desler]

Interesting how you completely glossed over the bank account numbers part in the list of data.

Secret payroll data only benefits the company

[sjbe]

So in other words, this may be a rare leak that hurts the company, and benefits employees. Generally when employees find out other people's salaries, they aren't mad at the other employees, they're mad at the company and demand raises.

I actually saw something like this a while back. A secretary at our company was photocopying payroll data including pay rates for all the employees on the campus. She accidentally left it on the copier. By the time she realized her mistake and can scurrying back to get it, it had already been copied and distributed and soon enough was posted prominently around the building. So everyone knew what everyone else was making and the company had a lot of explaining to do for certain... discrepancies.

I've always been puzzled why employees are so willing to go along with not sharing their pay data since keeping it a secret generally only benefits the company.

It depends on where you think you rank

[raymorris]

> I've always been puzzled why employees are so willing to go along with not sharing their pay data since keeping it a secret generally only benefits the company.

Often, a manager is budgeted a certain amount of money for raises. Employees are competing with each other for chunks of the budget.

If you have more experience, or more valuable experience, than your direct boss it might be good to keep quiet. It can be harder to get a raise when your boss knows you already make more than they do, and they think they should get that chunk of the salary budget. Similarly for peer employees who may have been at the company longer, but perhaps are less productive or have less specialized skills.

The last time I switched jobs, one company that wanted to hire me increased their offer by 25% to compete with the other company that wanted me. I'm sure that 25% increase in the offer would put my salary higher than many of my co-workers. It would have been in my best interest to take the money and be quiet, while doing good work to earn a raise a year later. Publicizing to all of my co-workers that I was being paid much more than them wouldn't have been helpful to me.

On the contrary, if you think other employees with lower qualifications are being paid more, sure that could be an argument for you getting a raise. If you can show that you're better qualified and more productive than Bob, you can argue that that your salary should be at least as high as Bob's. So it depends on where you think you are on the scale, near the top or near the bottom.

On the third hand, if you're making less than Sally, finding that out might only piss you off. If you ask the boss "why does Sally get paid more than me?", the answer might be "because Sally isn't an idiot. Sally can write an email and actually know the meaning of the words she uses". :)

In the end, what matters to me is paying my bills. How much a co-worker makes doesn't matter to me. For comparing my pay to what I could be making, I can compare to industry averages etc. A few data points of co-workers doesn't tell me as much as industry statistics, particularly because none of my co-workers has exactly the same qualifications as I. It's more useful for me to compare industry averages for people with similar qualifications.

Re:Not a problem

[I75BJC]

That's only Mostly correct (and therefore, your not correct). Electronic checks (ACH) from my bank do not bear my account details. Nor does my debit card bear my account details. Even if they did, I still do not want my account details stolen, leaked or release by a third party. If I chose to give my data, that is okay; if I don't make that choice myself, that is bad. What happened was not a choice these account holders made.

I hope this is a new trend - but release the data!

[Seven+Spirals]

Companies are always so tight with their pay grades. They don't want the plebs to know *exactly* how much the C-level folks are fucking them. They don't want the chicks to know how many guys are making 2x as they make in the same job. They don't want the guy who just keeps his head down to perk up and wonder why all the loudmouth assholes make more than him but do less. Hack these corporate bastards and post their pay levels on every pastebin and blog you can find. The corporate feudal dickheads hate when their payroll figures are released, which can only mean it's a good thing.

What!?!?

[erp_consultant]

Any employer issued laptop should have the entire hard drive encrypted. The fact that it wasn't is not the fault of the employee who's laptop got stolen. It is the fault of the IT department and, ultimately, senior management.

Re:Lots of people do

[rickb928]

It's about the debit function. Most consumer accounts don't permit that in the US.

Oh, wait, actually, they do.

Why not ask the question - why, why does an employee need payroll ACH data on their laptop? Really, why?

Oh, and of course, in my work this would have been a nothingburger. My laptop has an encrypted HD, this data would always have been delivered either by secure email (a web based gizmo, encrypted and password protected access) or encrypted cloud drive which grants access by invitation only, and the file itself would be encrypted.

Unless someone ignored at least two different policies and procedures, and the HD encryption would be difficult to overcome, being a corporate implementation with certificates and the whole schmeel.

Really, so many fails, but the one that stands out was the excess data. Overall, I cannot imagine having similar data on my laptop. It would be on my corp. cloud drive. I do not want to be on the front page of the fishwrap for this.Ever.