At the end of last week, payroll information of up to 100,000 employees of the British supermarket Morrisons was posted on a website, exposing the names, addresses and bank account details of staff.
The Bradford Telegraph & Argus newspaper was sent an electronic copy of the information from a “concerned Morrisons shopper” and warned Britain’s fourth-largest supermarket that it had suffered a serious data breach.
Fortunately, customer information was not apparently exposed.
The company alerted its staff of the security incident, using social media to reach as many employees as possible.
As Reuters reported, Morrisons managed to have the information removed from the website and was quoted clearly suspecting an insider (presumably a disgruntled employee) was responsible for the hack.
“Initial investigations suggest that this theft was not the result of an external penetration of our systems. We can confirm there has been no loss of customer data and no colleague will be left financially disadvantaged.”
West Yorkshire Police announced earlier today that they have arrested a Morrisons employee in connection with the data theft:
Detective Chief Inspector Gary Hooks, of Protective Services (Crime), said: “An employee of Morrisons has been arrested in Leeds this morning (Monday, 17 March) in connection with an investigation into the theft of data from the company.
“He is currently in custody.”
Whether the unnamed man is responsible for the data breach or not is a matter for the authorities, but clearly questions need to be asked as to whether Morrisons was doing enough to protect the sensitive banking information of its employees.
In a world of internet threats, targeted attacks and state-sponsored hackers it is easy to forget the very real threat which can be posed by the insider threat.
Security firms love to talk about shady cybercriminals breaking into companies via the net because it’s actually a much easier problem to tackle than the thorny topic of how you secure your confidential data from a trusted employee who may have turned rogue.