Supermarket Morrisons has reported a breach of 100,000 payroll data records.
The details were sent on a CD and passed to theBradford-based Telegraph and Argus. Morrisons said that its initial investigation did not point to the work of an outside hacker, but that there had been no loss of customer data. The details were of employees from store staff to board level, and had been posted online.
A Morrisons spokesman told BBC news that an investigation began last night. It said that it found out about the theft on Thursday just after it had reported a £176m loss, and warned that profits in the coming year would be less than £375m, about half the level of 2013.
In a note on its Facebook page, Morrisons apologised to colleagues for the theft and publication of the data. “As soon as we became aware of this last night we took immediate steps to ensure the data was removed from the website. It was closed down within hours of us being notified,” it said.
It confirmed that this was an illegal theft of data; can no longer be accessed on the website; and it was liaising with the police and highest level of cyber crime authorities.
“The information included names, addresses and bank account details of colleagues. This affects colleagues from all levels of the organisation. We are very sorry that this has happened. We will ensure that no colleague will be left financially disadvantaged as a result of this theft.”
Tim ‘TK’ Keanini, CTO of Lancope, said: “This breach is not the first and certainly not the last of its kind. By the tactics used, the behaviour is more of revenge or hacktivism because the perpetrators wanted the stolen data to be public. If they were cyber criminals, it would have been harder to find in the initial stages because it would have been for sale on some darknet and for a price. Also, the data being sent to a newspaper is another telling sign of the attacker wanting it to be a very public event.
“I also find it interesting that the attackers only went after the employee data when all the customer data that is stored could have been stolen and monetized. Either it was taken, and they don’t know it yet, or this is clearly not the cyber criminal profile in that this prize would have been much larger in numbers and would yield a higher price on the dark markets. When you look at this event and you ask yourself, is this what good incident response looks like? I’d give them a B- in my book.”
Sergio Galindo, general manager, of the infrastructure business unit at GFI Software, said: “The theft and subsequent republishing of payroll data not only creates several legal and regulatory issues, it also will have further negative impact on the company’s brand name and consumer confidence – as it would for any company that suffers a data breach.
“We’ve already seen this with Target in the US, which suffered substantial bad press and falling consumer confidence which combined to hit trading figures in the wake of its payment data theft.”
Paul Ayers, VP EMEA at enterprise data security firm Vormetric, said: “Even in the wake of the mammoth Target and Neiman Marcus data breaches, this latest incident suggests that organisations are still struggling to protect their data resources from
those already legitimately ‘inside the fence’.
“It is often a case of ineffective management of ‘privileged’ users on corporate networks that causes this type of data breach incident. Every organisation will have employees or contractors who have far reaching, privileged, computer network access rights – and it is how these users are controlled and secured that is often a weak link in the data security framework.
“Organisations must be regularly assessing their security position and, more importantly, constantly monitoring their IT systems to detect and respond to data breaches as soon as they happen. In turn, encryption of all data must be viewed as a mandatory, life-saving seatbelt. It’s only with a deep level of security intelligence and data-centric security that businesses will be able to spot suspicious activity as and when it occurs, and stop outside attackers and rogue employees alike in their tracks.”
Nick Banks, VP EMEA & APAC at Imation Mobile Security Group, said: “Whilst we await for more details to emerge, initial indications from Morrisons are that this was an ‘inside job.’ It is a stark reminder that the insider threat is just as present and powerful as that of an outside cyber attack.
“In giving employees access to sensitive and confidential data it is imperative that companies are able to track that data – who has accessed it, from where – in order to understand what devices it is sitting on and if it has been accessed by someone who shouldn’t have.”