A corporate-issued laptop lifted from a Lenovo employee in Singapore contained a cornucopia of unencrypted payroll data on staff based in the Asia Pacific region, The Register can exclusively reveal.
Details of the massive screw-up reached us from Lenovo staffers, who are simply bewildered at the monumental mistake. Lenovo has sent letters of shame to its employees confessing the security snafu.
“We are writing to notify you that Lenovo has learned that one of our Singapore employees recently had the work laptop stolen on 10 September 2018,” the letter from Lenovo HR and IT Security, dated 21 November, stated.
“Unfortunately, this laptop contained payroll information, including employee name, monthly salary amounts and bank account numbers for Asia Pacific employees and was not encrypted.”
Lenovo employs more than 54,000 staff worldwide (PDF), the bulk of whom are in China.
The letter stated there is currently “no indication” that the sensitive employee data has been “used or compromised”, and Lenovo said it is working with local police to “recover the stolen device”.
In a nod to concerns that will have arisen from this lapse in security, Lenovo is “reviewing the work practices and control in this location to ensure similar incidents do not occur”.
On hand with more wonderfully practical advice, after the stable doors were left swinging open, Lenovo told staff: “As a precaution, we recommend that all employees monitor bank accounts for any unusual activities. Be especially vigilant for possible phishing attacks and be sure to notify your financial institution right away if you notice any unusual transactions.”
The letter concluded on a high note. “Lenovo takes the security of employee information very seriously. And while there is no indication any data has been compromised, please let us know if you have any questions.”
The staff likely do. One told us the incident was “extremely concerning” but “somehow not surprising in any way. How on Earth did they let this data exist on a laptop that was not encrypted?”