back to article Lenovo tells Asia-Pacific staff: Work lappy with your unencrypted data on it has been nicked

A corporate-issued laptop lifted from a Lenovo employee in Singapore contained a cornucopia of unencrypted payroll data on staff based in the Asia Pacific region, The Register can exclusively reveal. Details of the massive screw-up reached us from Lenovo staffers, who are simply bewildered at the monumental mistake. Lenovo has …

  1. Semtex451

    news

    These days I'm wondering at what frequency does an event no longer become newsworthy.

    Even the staff at HP will be laughing only till they think "better check ours".

    It comes under the heading 'Unlikely chain of events actually occurs (with disastrous consequences)'

    1. GnuTzu
      Unhappy

      Re: news

      Yup. When people go numb and acclimate to it, vigilance will fade. Only wide-spread pain will bring people to action, but how great will the pain need to be to prevent a cascade that will accelerate into a landslide of catastrophe?

      1. BillG
        WTF?

        Working from home???

        "Unfortunately, this laptop contained payroll information, including employee name, monthly salary amounts and bank account numbers for Asia Pacific employees and was not encrypted."

        Even if it was encrypted, IMO this information has no reason to be on a mobile platform like a laptop. No one in HR should need to work with this information at home for any reason.

    2. Version 1.0 Silver badge
      Unhappy

      Re: news

      I think that this would be much more "newsworthy" if it hadn't happened - it's happening all the time and we, the general public lusers, only hear about it occasionally. So look at the information that's been pawned ... it would not be that serious if it were not for the fact that banks and other financial entities are continually falling for these tricksters and then not blaming themselves for giving the money away without any serious checks ... their "backstop" plan is always to blame the victims.

    3. tfewster
      Facepalm

      Re: news

      > 'Unlikely chain of events...' With about 500 million laptops out there, even with odds of a million to one, that's a lot of occurrences.

      And, as we know, million to one chances happen 9 times out of 10

  2. Jay Lenovo

    Meet our CSO, Mr. Hindsight

    It seems most companies take security very seriously, when they have been breached.

    Now if they could only apply this enthusiasm before a setback...

    1. Ben Tasker

      Re: Meet our CSO, Mr. Hindsight

      Isn't hard drive encryption literally one of the features of many of the products Lenovo sell?

      Good to know they're dogfooding it. Next we'll find out that it was in fact a Dell laptop

      1. Mongrel

        Re: Meet our CSO, Mr. Hindsight

        "Isn't hard drive encryption literally one of the features of many of the products Lenovo sell?"

        I'd be asking why this sort of information was on the hard drive. If you must have access to this sort of data externally then VPN into the company network and make sure you're using 2FA to logon.

        Here's a Defcon talk about why you shouldn't be logging on or working with sensitive information in public places, No Tech Hacking. https://www.youtube.com/watch?v=qfFELeCP-oA

      2. Robert Helpmann??
        Childcatcher

        Re: Meet our CSO, Mr. Hindsight

        Isn't hard drive encryption literally one of the features of many of the products Lenovo sell?

        Yes, but have the flaws in HW encryption implementation been corrected?

      3. Zilla

        Re: Meet our CSO, Mr. Hindsight

        Yes it's one of the reasons I have a thinkpad for my work. It's encrypted and as far as I know should be completely inaccessible without my biometrics AND boot password.

        The fact this wasn't default at Lenovo is simply unfathomable.

        1. Anonymous Coward
          Anonymous Coward

          Re: Meet our CSO, Mr. Hindsight

          You haven't tryed to hack your own system yet have you? Metrics with the fingerprint easily fooled.

          Your encryption, has known back doors in the math unless you rolled your own algorithm and code. You sir are the perfect victim due to your misplaced faith in security theatre.

          when it comes to security anyone sufficiently motivated will eventually break any and all security

        2. Anonymous Coward
          Anonymous Coward

          Re: Meet our CSO, Mr. Hindsight

          The fact this wasn't default at Lenovo is simply unfathomable.

          If only. I can fathom it all too well.

          Let's just say that Lenovo are by no means the only offenders in this area.

      4. highdiver_2000

        Re: Meet our CSO, Mr. Hindsight

        The hdd could have been replaced and the employee did not activate the hdd encryption, as it slows down the machine.

    2. Antron Argaiv Silver badge
      WTF?

      Re: Meet our CSO, Mr. Hindsight

      "Lenovo takes the security of employee information very seriously."

      So seriously, in fact, that, instead of keeping it on company servers, accessible only through a VPN, we let employees walk around with it on their laptops, unencrypted.

      Methinks Lenovo's definition of "security" is a mite more lenient than mine.

      // what *possible* reason is there for an employee database with all kinds of sensitive information to be on a worker's laptop?

    3. Andy Non Silver badge

      Re: Meet our CSO, Mr. Hindsight

      One of my relatives runs his own company and has a significant amount of very sensitive information on his many private clients, but trying to get him to take security seriously is virtually impossible. He is one of those guys who always knows better and more about everything than anyone else. He accuses me of being paranoid when I try to talk to him about his naive attitude towards security. He did admit that a few months ago his co-director fell for one of those "Hello this is Microsoft calling" phone calls and even installed malware on their network as a result before someone finally twigged it was a scammer and hastily tried to close stable doors; how much / if any data was lost he didn't say. His company is probably too small to end up being featured on El Reg in the event of a major data loss, but he is a GDPR data breach waiting to happen.

      1. Anonymous Coward
        Anonymous Coward

        Re: Meet our CSO, Mr. Hindsight

        Mr "Andy Non" - you must be from Cape Town, South Africa. That 'twigged' is just a dead give away.

        1. phuzz Silver badge

          Re: Meet our CSO, Mr. Hindsight

          'Twigged', is also widely used in the UK, and I'd guess some of the ex-colonies as well, not just South Africa. Plus a South African is less likely to be worried by GDPR.

  3. Locky
    Childcatcher

    Lappy?

    Is this the contempt that we deserve? Does the will of the people mean nothing?

    https://www.theregister.co.uk/2006/03/14/lappy_poll/

    I demand a referendum

    1. Semtex451
      Facepalm

      Re: Lappy?

      That was still the good ol days at El Reg

      Also English was still a thing (we have to say 'a thing' now)

      This place has changed beyond all recognition since, as has our language and therefore journalists use of it.

      F*ck I'm old.

      1. Oh Matron!

        Re: Lappy?

        Journalists? Don't get that word mixed up with blogger. Those who can't, don't forget, blog.

  4. A.P. Veening Silver badge

    GDPR?

    Those responsible at Lenovo better start praying there are no European staff on their Asia-Pacific payroll, otherwise this could become pretty expensive.

    1. Yet Another Anonymous coward Silver badge

      Re: GDPR?

      But if the laptop had been in Europe or Australia, and encrypted the police would have a copy of the key - and so the data would be available in every east end boozer for "a drink"

    2. I_am_not_a_number

      Re: GDPR?

      Hmm.. Singapore doesn't seem to be on the GDPR/Third countries with adequacy decision but they seem to have some kind of data protection under the Personal Data Protection Act 2012 (PDPA).

      However:

      "The data protection provisions in the PDPA (parts III to VI) generally do not apply to:

      "Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.,,"

      Penalties seem to be a bit weak (1 GBP = 1.72 Singapore Dollars) , I'm personally not convinced about the prison term below:

      "...A fine up to SGD10,000. In the case of a continuing offence, the guilty person is liable to a further fine not exceeding SGD1,000 for every day or part of the day during which the offence continues after conviction.

      Imprisonment for a term not exceeding three years."

      That's pretty broad set of exclusions IMHO + anyone's guess whether their equivalent to the ICO will act to enforce...

      1. This post has been deleted by its author

      2. spold Silver badge

        Re: GDPR?

        Bank account and payroll information would not come under general business information (stuff on your business card), and Singapore data protection fines are one of the the most brutal in Asia (up to $1M). So could be an expensive laptop.

        (the $10K thing is for non-cooperation with the regulator)

  5. Mr Dogshit

    Yeah yeah, they take it "very seriously".

  6. Crisp
    WTF?

    If Lenovo give away my bank details

    Then surely they're liable for any financial loss I incur?

    1. Anonymous Coward
      Anonymous Coward

      Re: If Lenovo give away my bank details

      Then surely they're liable for any financial loss I incur?

      That will depend on where you reside, and the laws that apply to you and your data.

      In the UK, Morrisons are still protesting their innocence after a staffer deliberately released similar data some years ago. They've lost a case at the Court of Appeal, but they think it worth appealing to the Supreme Court, and until that's done and dusted there's a bit of doubt about how much liability attaches to the unintentional but avoidable loss of UK employee data.

  7. Flywheel
    WTF?

    Lenovo takes the security of employee information very seriously

    If I had a quid for every time I heard this I wouldn't be working. #FFS

    1. Anonymous Coward
      Anonymous Coward

      Re: Lenovo takes the security of employee information very seriously

      I'm fairly sure Lenovo have said that only once. Very recently.

      Unless you've got it on repeat.

      1. vir

        Re: Lenovo takes the security of employee information very seriously

        They forgot the second part of the phrase: "out of an abundance of precaution, we will be providing free credit monitoring services to all affected for one year".

      2. Bibbit

        Re: Lenovo takes the security of employee information very seriously

        Impressive pedantry. Well done sir or madam.

  8. Anonymous South African Coward Bronze badge

    Happened to us as well... so it must also be "standard practice" with most companies.

  9. Herring`

    HR

    They get all funny about allowing anyone from IT anywhere near their data - including the security people. In some places I've worked, the annual leaking of the payroll data (just after pay rises) was a tradition.

  10. Captain Obvious

    Now that this is news

    I wonder if the laptop thief really new all content on the stolen laptop. But they do now!!!!!!

  11. DuchessofDukeStreet

    Two months to discover that the lost laptop had an entire payroll on it? Did they not ask the questions, or did the owner not tell them what they'd done?

    It will all have been on the laptop because HR people are very important and have to have immediate access to all the data they need, which nobody else is allowed to go near of course. But they can be trusted with that kind of confidential important information!

    1. Adrian 4

      @DuchessofDukeStreet

      I suggest that two months is about how long someone can spin out 'I left my laptop at home' until someone finally loses patience and finds out the truth.

  12. Anonymous Coward
    Anonymous Coward

    Again?

    Exactly this happened at my previous company. All of us plebs had mandatory whole disk encryption. Some VP of HR had the entire payroll database on her laptop which of course was (a) unencrypted and (b) stolen.

    Strangely, neither the VP nor her boss were fired over this.

  13. Stevie

    Bah!

    "Fortunately, the laptop in question was running the vary latest patched version of Windows XP SP3."

    Seriously, how is it even possible that a Leonovo staff member possessed an unencrypted laptop in 2018?

  14. Bluto Nash
    Mushroom

    WTF

    Why isn't this sort of breach not only punishable, but encryption not REQUIRED for HR related data? I mean like REQUIRED sort of required, not "It'd be nice if you maybe did that encryption thing on that laptop we gave you."

    Site IT needs to not deliver a laptop that hasn't already BEEN ENCRYPTED. Why does a user need an unencrypted laptop in the first goddamn place?

    Jeebus.

  15. EnviableOne

    Confused?

    Please tell me it isnt just me

    10 September 2018 <> Recently

    glad this isnt under GDPR or they'd be getting papped knuckles under the 72hr rule, i hope none of theemployees are EU nationals, or this might be fun

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like