Back in 2014, Morrisons suffered a serious data breach when an ex-employee leaked the data of nearly 100,000 employees online. Data included names, addresses, dates of birth, phone numbers, salary information, national insurance numbers and bank details.
The payroll data had been supplied by Morrisons to its external auditor, it was then copied from the secure software on to a memory stick by an authorised employee in HR. This was later uploaded to a laptop belonging to a senior internal IT auditor, and shared to another memory stick, which was then later used to leak the information.
Unfortunately, Morrisons were not aware at the time that this data had been copied on to a personal USB device belonging to the senior IT auditor, Andrew Skelton. Andrew had actually been through a disciplinary process earlier that year, leading him to harbour a grudge against the fourth largest supermarket in the UK.
Andrew firstly uploaded the data to a public file-sharing website, and then followed this action by contacting the press and sending a CD containing a copy of the data to three UK newspapers.
It was the action of one newspaper contacting Morrisons that first brought their attention to the data breach. Andrew was later found to be guilty of the breach and was sentenced to eight years in prison in 2015.
Well, you’d think. But, although Morrisons were not primarily to blame, they were still vicariously liable due to them being responsible for Andrew’s actions as a trusted employee at the time.
In his own words, the judge on the case ruled that “Morrisons deliberately entrusted Skelton with the payroll data. It was not merely something to which work gave him access; dealing with the data was a task specifically assigned to him.” He believed that Morrisons took the risk when placing their trust in him.
What happened next?
5,518 of the 99,998 employees affected brought claims against Morrisons, alleging breaches of the Data Protection Act 1998 (DPA). Although they were made to pay compensation to the employees, the court was satisfied that the system already in place was sensible and necessary. They believed that Morrisons had limited access to the data as much as it could, that they had internal checks in place to see who had accessed the data and had used an appropriate method to transfer the data to their external auditor.
What should businesses do now?
It’s hugely important that businesses are compliant with GDPR and that their planning of this, covers and reduces risks similar to this one. Businesses may want to consider:
- Taking a close look at security measures and ensuring that access rights are tightly monitored
- Ensuring the appropriate policies and procedures are in place to cover data protection principles such as data security and data minimisation, and to guarantee that these are understood by employees
- Having a Data Protection Impact Assessment (DPIA) for any new processes to track any data requests by auditors and to establish whether these are necessary and why
- Ensuring that you have trusted employees in important roles and that any concerns against them are reviewed and the necessary actions are taken
- Having a data breach notification procedure in place to ensure that detection and response is proactive
- Ensuring that efficient staff training is conducted on all areas of GDPR and any relevant or further security training
- Regular compliance audits or reviews should be put in place to identify and rectify any issues as quickly as possible.
What do you think of Morrisons’ situation? SCS Technology would love to hear your thoughts on Twitter @SCSTechnology.