Supermarket giant, Morrisons, has been found vicariously liable for a data breach that has affected over 100,000 members of staff in 2014 when a former employee leaked their personal details online.
The personal information published online contained the following:
- Personal Salaries
- National Insurance Numbers
- Dates of Birth
- Bank Account Details
- Addresses
- Full Names
All of the above falls under what is known as ‘Personal Identifying Information’ and is strongly protected under the GDPR (General Data Protection Regulations). Had a breach of this nature occurred next year, Morrisons would’ve met serious consequences from the formidable ICO.
A Morrisons spokesperson said:
“…Morrisons was not at fault in the way it protected colleagues’ data but he [the judge] did find that the law holds us responsible for the actions of that former employee…”
Ex-employee, Andrew Skelton was the culprit behind Morrisons’ data leak and was sentenced to 8 years in prison back in 2015, after being found guilty of fraud, securing unauthorised access to computer material and disclosing personal data.
The very expensive question of whether or not the affected employees will receive compensation is in debate as Morrisons look forward to submitting an appeal against the verdict; over 100,000 ex and current employees have been affected by the breach and 1,000s are currently seeking compensation from Morrisons.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.”
How?
Skelton was able to put himself in prison for 8yrs and Morrisons in court with nothing more than a ‘removable storage device’ – which was more than likely a memory stick.
If you don’t have a policy for BYOD (Bring Your Own Devices) then you are playing with fire. As a business owner, you must make it explicitly clear what is allowed and what isn’t. There were no indications, according to Morrisons, that Skelton was disgruntled; which only makes the situation more frightening.
Create a security policy or get a business to help you with making one.
Disable any vulnerabilities such as USB ports on certain computers or remove access for users who do need access in the first place, e.g. marketing does not need access to billing.
Evaluate what you have set in place – are you still able to perform your job role and deliver on your responsibilities efficiently, whilst at the same time ensuring that data is secure?
Educate all employees on data protection and staying secure in the workplace when online and using data. One USB stick could mean the end of your business.
Being prepared and aware of the dangers are the first steps to protecting your business from being a victim of cyber crime and data breaches. The consistency of data leaks and breaches are becoming far too common – look no further than our most recent articles and you will find that stuff like this happens every day.
Don’t be like Uber, Imgur, Equifax, TalkTalk or Morrisons – be a secure, safe and responsible business that knows how to handle customer and business data responsibly and within the boundaries of the law.