"The behavior is more of revenge or hacktivism because the perpetrators wanted the stolen data to be public," suggested Lancope CTO Tim Keanini. The security industry, he says, believes it was only possible because the company had insufficient security within the network (such as behavior monitoring and SIEM or automated log analyses) as opposed to perimeter defenses.
The stolen data was briefly available publicly on the internet, but was taken down on Morrisons' request. It hasn't been specified where it was published, but of course nobody knows how many times or by whom it may have been copied while it was there. Pastebin is a favorite location for such dumps, and the Pastebin operators are very quick to remove personal data once they become aware of it – but Morrisons employees should consider their bank details compromised.
The company sent a note to all employees and posted it on Facebook. "Our immediate priority is the security of your financial information," says the note. We are currently working with Experian and the major banks to ensure that we provide full support and assistance to all affected colleagues. This will include support and advice around protection of your bank account... We will ensure that no colleague will be left financially disadvantaged as a result of this theft."
The actual purpose and reason for the hack may, however, soon be known. If it really was an inside job, then the number of potential suspects is relatively small, and the investigation immediately focused. Indeed, the West Yorkshire Police issued a brief statement Monday: "Police investigating the theft of payroll data from Morrisons have arrested a man... an employee of the company... arrested on suspicion of making or supplying an article for use in fraud... He is currently in custody."
"Those convicted of such an offence, under section 7 of the Fraud Act 2006, can face up to 10 years in prison in the most serious cases," notes the Guardian newspaper.
Newspapers have been quick to point out that the incident comes at a difficult time for the supermarket chain. "The company found out about the theft on Thursday," reported the BBC, "just after it had reported a £176m loss and warned that profits in the coming year would be less than £375m, about half the level of last year's."