Employees sue Morrisons after 2014 data breach

Nearly 6,000 employees are suing Morrisons after their personal information was leaked by an insider in 2014. Almost 100,000 current and former employees saw their personal information, including bank details, National Insurance numbers and dates of birth, posted online and released to newspapers.

Morrisons was awarded £170,000 in compensation, but those individuals affected by the breach got nothing. Counsel for the employees, Jonathan Barnes, advised that the victims are seeking compensation for the “upset and distress” caused by the leak, although Morrisons claims it is not liable.

According to the BBC, Barnes said:

We say that, having entrusted the information to Morrisons, we should now be compensated for the upset and distress caused by what we say was a failure to keep safe that information.

The leaked information would “certainly be enough for internet scammers to attempt [to] identity fraud or follow-on phishing attacks”. It is not known whether the victims have suffered from such attacks.

Morrisons has a duty to protect the personal information of its employees. The High Court is yet to decide whether Morrisons is liable for the incident.

David Emm, principal security researcher at Kaspersky Lab, said:

Employees rank at the very top of the list of threats to data and systems. Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness. When insider-assisted attacks do occur, the impact of such attacks can be devastating as they provide a direct route to the most valuable information.

Emm said that organisations need to “manage insider risk by improving staff training and awareness programmes (bolstered by robust policies), restrict access to the most sensitive IT systems, perform regular security audits and use threat intelligence services”.

As insider threats have the potential to affect reputation, operations and profitability, as well as expose data, organisations should take action to prevent such incidents rather than react to them.

Why is staff awareness important?

Although this leak is an example of deliberate misuse of data rather than human error, it shows the importance of effective staff training to ensure that they know how to treat confidential information and the consequences of misuse. Information security is critical within the business environment.

Educate your staff

Enrol your staff on our Information Security Staff Awareness E-Learning Course to give them a better understanding of what is expected of them. The course advises staff on how to avoid becoming a security liability, introducing them to your internal policies on incident reporting and responses, and provides basic knowledge of information security best practice to reduce needless mistakes.