5,518 former and current Morrisons employees are suing the company in the High Court over failing to protect their personal data after it was posted online by a rogue employee with a grudge.
Back in 2014, Andrew Skelton, who was an auditor at the head office of Morrisons in Bradford, leaked the personal details of almost 100,000 staff. Mr Skelton is believed to have deliberately stolen and leaked the data in a move to get back at the company after he was accused of dealing in legal highs at work.
Although Mr Skelton was jailed for jailed for eight years in 2015 over the incident, and Morrisons was awarded £170,000 compensation against Skelton, lawyers for the employees whose data was stolen and leaked are now arguing that they should also be compensated.
What Kind of Data?
The data, which was stolen, sent to national newspapers, and posted on data-sharing websites by Skelton included details about staff salaries, bank details and National Insurance numbers.
It is estimated that the data breach cost the company more than £2m to rectify back in 2015.
Upset and Distress
In the recent case in the High Court, Jonathan Barnes, Counsel for 5,518 former and current Morrisons employees argued that they were victims too, and should therefore also (like Morrisons) be compensated.
Mr Barnes argued that due to a failure by Morrisons to keep staff personal safe, upset and distress was caused to people whose personal data had been posted online without their consent (and knowledge at the time).
The basis of the case is, therefore, that Morrisons may be responsible for breaches of privacy, confidence and data protection laws, and may have exposed employees to the risk of identity theft and potential financial loss.
The action at the High Court will last two weeks and is essentially concerned with liability. No decision has yet been made.
What Does This Mean For Your Business?
With so much focus on attacks from the outside by hackers and scammers, it’s easy to forget that attacks and data breaches / leaks can come from within. Businesses may not be aware that insider attacks top the list of threats to data and systems, and because (as in the case of Skelton) certain employees have legitimate access to sensitive and valuable company information, the risk is potentially huge. What makes this risk particularly hard to manage is the fact that trust needs to be placed in employees in order for them to do their job, although their motivations are hard to predict, anticipate or control. It is also likely that, as in the case of Morrisons, insiders can select the most sensitive of data, and inflict the worst kind of damage before the company even knows about it.
Businesses should, therefore, at least be aware of the threat, and try to restrict access to sensitive data to only those people who need access to it, to build in some monitoring and checking, and to build this kind of scenario into Business Continuity and Disaster Recovery Plans.