Morrisons staff suing over data breach. Del Brazil takes a look at what we know and what it might mean.

• by Ellie Hurst
• Advent IM Blog

Advent IM Security Consultant, Del Brazil discusses some of the questions raised by the legal action from Morrisons employees over a data breach that led to their private information being leaked…

It has been reported in Computer Weekly that thousands of Morrisons staff are planning to sue the retailer over a data breach in which a disgruntled former employee published the bank, salary and National Insurance details of almost 100,000 employees, online.

Did Morrisons fail to prevent the data leak that exposed tens of thousands of its employees to the very real risk of identity theft and potential loss?  Only a fully and thorough investigation will reveal the answer along with exactly how the breach was committed and over what period of time the breach occurred.

Any investigation will highlight the security measures deployed at the time of the incident.  A decision will then be made by the Information Commissioners Office (ICO) or other investigative body, as to whether the measures implemented were in line with the Data Protection Act and that any measure was correctly configured, managed and/or monitored.

The Data Protection Act 7^th Principle says that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

So in simple terms each and every organisation that stores, processes or handles personal data should be able to establish whether they can reasonably do more to protect the personal data they hold.  If the answer raises eyebrows or poses further questions then the simple answer should be yes; however all organisations should be consistently and regularly reviewing their security measures in order to highlight potential weaknesses or areas for improvement. What may be appropriate and adequate at one time, may not always remain the same, so the need for review and testing is key.

In the event that personal data is stolen, changed or misappropriated, then the repercussions to the individual could be devastating.  There is a possibility that their information may be sold on to a third party for spamming purposes or sold on to a criminal organisation with the intent of identity theft. The resulting financial losses to individuals are not only unfair and criminal, on a wholesale basis, but frequently go to fund other criminal and terrorist activities.  Sadly, there is a frequently a somewhat relaxed attitude towards the loss of personal data from an individual’s perspective as they believe that it won’t happen to them. However there is always a risk to your personal information being used for purposes that you are not aware of.  No one should ever be afraid to question an organisation or employer how they protect their information and what measures they are taking to ensure its security.  If there are resulting concerns about levels of protection or safeguards, then the Information Commissioner’s Office (ICO) may be contacted as they may investigate these concerns further.

Individuals can be quick to pass on their details to organisations/companies for genuine reasons; we all live a digital and data-driven life, in the belief that this information will be adequately protected.  Arguably, in some cases you have no choice than to share personal information especially from an employment perspective and it would reasonable to expect your employer to take sufficient care of your information to prevent it being accessed or passed to individuals/organisations intent on committing some form of illegal activity. Being aware of how our information is protected is not unreasonable and employees have a perfectly reasonable expectation that their employers will consider this part of their duty of care.

The UK can sometimes follow the US culturally and the question has been raised as to whether the culture of litigation is one we can expect to see expand in the UK, particularly with this kind of high profile legal action. There are numerous incidents in the US where companies/organisations have been sued for failing to protect personal information, but can we expect this to become part of our corporate life? This is a very tricky question to answer, as the laws governing the protection of data in the US differ from those in the UK; although they do deliver the same message.  Each and every personal data breach is unique but the re-occurring question in any investigation will always be whether the individual, company and/or organisation took sufficient care to protect personal information by the deployment of appropriate technical, physical and procedural measures and what was the impact to individual concerned?  So whilst the regulation may differ, the spirit of the regulation is consistent and whether this is the future for the UK too will remain to be seen. Certainly we are seeing growing numbers of breaches and it is unlikely that this growth will continue without some kind reaction from the victims.

What is the likelihood that the Morrisons legal action is successful?  This would depend on the outcome of the ongoing investigation and as to whether Morrisons was deemed to have adequately protected their employee’s data.  Should the legal bid be upheld then the repercussions may potentially have a massive impact on all organisations storing and/or processing personal information.  There is a likelihood that organisations may go massively overboard with extra or increased measures in an attempt to defeat any possible threat of an insider attack without first reviewing and/or assessing the result of the findings of the ongoing Morrisons case.

The Morrisons data breach does raise a few questions though; what measures are deemed to be appropriate and sufficient to detect and/or deter an insider attack?  There is a fine balance between organisations having a high level of protective monitoring that gives employees the ‘Big Brother’ impression or such a low level that pretty much no monitoring takes place.  A very similar tone could be taken to staff vetting as at what point does vetting no longer be seen as an assurance practice but more of an intrusion into personal life?  These are questions that will continuously trouble both employers and employees.

Organisations are generally over reliant on technical solutions for protective monitoring to provide a quick fix rather than looking at the problem and identifying an appropriate solution.  There are a whole raft of technical solutions available, all of which require an element of physical monitoring and response.  It is an organisational decision as to whether to use a more technical solution with little staff interaction to maintain the system, as opposed to relying more heavily on human inspection of various logs; however consideration should also be given to allowing/ensuring that there are sufficient staff available to respond to alerts or discrepancies that may be detected in whichever solution is deployed.  Organisations should also ensure that they have a tried and tested plan in place to maximise their ability to understand, contain and respond to the ever increasing threat to personal information.

It is the opinion of the author that organisations should employ comprehensive protective monitoring procedures, which when coupled with a degree of staff vetting and a good security awareness programme should demonstrate to any governing body an organisation’s commitment to deterring or detecting insider threats.

Unfortunately the insider threat will never go away and with the value and importance of information increasing rapidly so the temptation for employees to sell personal information also increases.  Every level and type of industry relies upon information, no matter what form it takes and as such, every industry should keep an eye on this case as it develops.

Although organisations should pay close attention to this ongoing legal case raised by Morrisons employees and/or organisations shouldn’t be overly concerned until the full details of the investigation and the outcome of the legal case are made public.

Every organisation should ensure appropriate measures are in place (technical and non-technical) to secure and protect personal information to the best of their ability, including continually educating, training and making their staff aware of the insider threats.