14 DAY TRIAL // The data breach suffered by UK supermarket chain Morrisons earlier this week impacts 100,000 employees. There’s no evidence that customer information has been compromised.
The Daily Mail reports that the police and the Information Commissioner’s Office (ICO) have launched an investigation.
Names, addresses and bank account details belonging to employees have been published onto a website. This appears to be an inside job carried out by someone with access to payroll, not an external attack.
However, since the information was publicly available, it could have been copied by cybercriminals. That’s why major banks and Experian have been notified to provide assistance and full support to impacted employees.
The breach came to light after a member of the public copied the data from the website onto a disk which he sent to the Bradford Telegraph & Argus. The incident comes shortly after Morrisons announced suffering an annual loss of £176 million ($292 million / €210 million).
Sergio Galindo, general manager of the infrastructure business unit at GFI Software, has told Softpedia that the payroll data breach comes at a bad time for the supermarket chain.
“The theft and subsequent republishing of payroll data not only creates several legal and regulatory issues, it also will have further negative impact on the company’s brand name and consumer confidence – as it would for any company that suffers a data breach,” Galindo said.
“We’ve already seen this with Target in the US, which suffered substantial bad press and falling consumer confidence which combined to hit trading figures in the wake of its payment data theft,” he added.
“The Morrisons hack also comes shortly after the seventh anniversary of the TJX hack, when the parent company of British retailer TK Maxx suffered a data theft in which 45.6 million credit and debit card numbers were stolen over an 18 month period and also posted online, affecting both the US and UK retail operations of TJX and forced backs to replace tens of millions of cards, incurring substantial cost.”
Galindo highlights the fact that it’s important for companies to minimize the ability for staff, contractors and external forces to casually access sensitive data stores.
“Wi-Fi should be closely managed and monitored, and ideally isolated from the core network, while robust IT event monitoring should be deployed throughout the organisation in order to ensure that audit trails exist to help staff quickly track down the point of weakness in the event of a breach, as well as help to proactively spot abnormal activity and stop it before a theft takes place,” the expert said.