At the end of last week, payroll information of up to 100,000 employees of the British supermarket Morrisons was posted on a website, exposing the names, addresses and bank account details of staff.
The Bradford Telegraph & Argus newspaper was sent an electronic copy of the information from a “concerned Morrisons shopper” and warned Britain’s fourth-largest supermarket that it had suffered a serious data breach.
Fortunately, customer information was not apparently exposed.
The company alerted its staff of the security incident, using social media to reach as many employees as possible.
As Reuters reported, Morrisons managed to have the information removed from the website and was quoted clearly suspecting an insider (presumably a disgruntled employee) was responsible for the hack.
“Initial investigations suggest that this theft was not the result of an external penetration of our systems. We can confirm there has been no loss of customer data and no colleague will be left financially disadvantaged.”
West Yorkshire Police announced earlier today that they have arrested a Morrisons employee in connection with the data theft:
Detective Chief Inspector Gary Hooks, of Protective Services (Crime), said: “An employee of Morrisons has been arrested in Leeds this morning (Monday, 17 March) in connection with an investigation into the theft of data from the company.
“He is currently in custody.”
Whether the unnamed man is responsible for the data breach or not is a matter for the authorities, but clearly questions need to be asked as to whether Morrisons was doing enough to protect the sensitive banking information of its employees.
In a world of internet threats, targeted attacks and state-sponsored hackers it is easy to forget the very real threat which can be posed by the insider threat.
Security firms love to talk about shady cybercriminals breaking into companies via the net because it’s actually a much easier problem to tackle than the thorny topic of how you secure your confidential data from a trusted employee who may have turned rogue.
Unbelievable. When are companies going to wake up and smell the coffee? This data should have been encrypted, it's not difficult.
As most companies use Microsoft I'm sure BitLocker would have provided adequate protection. A group policy can be forced ensuring that any external media (e.g. USB sticks) are automatically encrypted before they'll even interact with the computer. Or Morrisons could block the use of external drives entirely. They need to, if they haven't already, implement an effective Data Loss Prevention system on their corporate email – that'd block such information from being sent / force it to be encrypted / send an alert to somebody / combination of these things.
These measures wouldn't stop a high-level insider (e.g. an I.T. Director) but it would stop/mitigate the effects of almost all other data breaches.
I'm nowhere near as concerned if a company inadvertently physically loses encrypted data (e.g. on a USB stick) as I am when I hear that a company has lost unencrypted data.