Insider data leak causes trouble for major supermarket chain

The insider threat is arguably the biggest threat to businesses’ cyber security. It is unrelenting, difficult to detect and costly. Indeed, thousands of Morrisons staff have argued they should be compensated for the “upset and distress” caused by their personal details being posted on the internet, the High Court has heard.

The case, which opened in London on Monday is the first data leak class action in the UK, which companies across the country are keeping a close eye on. It follows a security breach in 2014 when Andrew Skelton, a senior internal auditor at the firm’s Bradford HQ, leaked the payroll data of nearly 100,000 employees. Details included names, addresses, phone numbers, bank account details and salaries. Skelton put the information online and sent it to newspapers.

Subsequently, Skelton was found guilty in July 2015 of fraud, securing unauthorised access to computer material and disclosing personal data. He was jailed for eight years.

>See also: Insider threat: most security incidents come from the extended enterprise

However, the current case has been brought by 5,518 current and former employees of Morrisons against the supermarket chain. The victims allege that the firm denies liability, failed to prevent the leak and exposed them to the risk of identity theft and potential financial loss. And they are arguing that the supermarket was ultimately legally responsible for breaches of privacy, confidence and data protection laws.

Morrisons denies legal liability and is defending itself, declining to comment ahead of trial.

If this trial is successful, a second will determine the level of compensation.

Jonathan Barnes, counsel for the employees, told Mr Justice Langstaff : “We say that, having entrusted the information to Morrisons, we should now be compensated for the upset and distress caused by what we say was a failure to keep safe that information.”

>See also: Insider threat denial: who is in the driving seat? 

Anya Proops QC, for Morrisons, said that if the 5,518 claimants succeeded, it would open the door to claims from the other 94,480 individuals affected.

The insider

“As the Morrisons data breach demonstrates, the insider threat represents one of the greatest challenges to businesses trying to stave off a constant barrage of cyber attacks,” comments David Emm, principal security researcher, Kaspersky Lab.

Research by Kaspersky Lab and B2B International reveals that 28% of all cyber attacks and 38% of targeted attacks now involve malicious activity by insiders.

“Employees rank at the very top of the list of threats to data and systems. Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness. When insider-assisted attacks do occur, the impact of such attacks can be devastating as they provide a direct route to the most valuable information – in this case, customer data.”

>See also: Why insider threats are the next big security challenge

Here are a few steps organisations can take to help identify and protect against insider threats:

• Educate your staff about responsible cyber-security behaviour and the dangers to look out for, and introduce robust policies about the use of business email addresses.
• Use threat intelligence services to understand why cybercriminals might be looking at your company and to find out if someone is offering an insider “service” in your organisation.
• Restrict access to the most sensitive information and systems.
• Perform regular security audits of the company’s IT infrastructure.

Avatar photo

Nick Ismail

Nick Ismail is the editor for Information Age. He has a particular interest in smart technologies, AI and cyber security.