Morrisons has been found liable for a 2014 insider data leak which exposed personal details on nearly 100,000 staff, clearing the way for those affected to claim compensation.
The UK supermarket giant is preparing an appeal against the High Court decision, in what is the country’s first class action suit related to a data leak.
The retailer’s lawyers had argued that the firm already suffered a £2m hit related to the cost of investigating and remediating the incident. However, it was awarded £170,000 in compensation, while staff got nothing.
Andrew Skelton was a senior internal auditor at the Morrisons head office in Bradford when he leaked the details of nearly 100,000 supermarket employees after harboring a grudge with his employer.
That stemmed from the fact that he was cautioned by the firm after using the corporate post room to sell legal highs on eBay.
The leaked data included NI numbers, birth dates and bank account details, with Skelton eventually jailed for eight years back in 2015.
Egress CEO Tony Pepper argued the ruling against Morrisons is a warning to all firms to “start mitigating for the unpredictable human element”.
“It’s unlikely Morrisons will remain the only company to have such action successfully taken against them for very long. As this breach shows, organizations can’t simply trust their staff to always do the right thing and we also know people will make mistakes,” he added.
“Companies need to start solving this problem by using technology to control employees’ access to sensitive data and the actions they can take with it.”
Matt Lock, director of sales engineers at Varonis, claimed that the case underscores the need for organizations to tighten employee access controls.
“Unfortunately, many businesses find themselves extremely vulnerable to insider threats — malicious or otherwise, he argued.
“In fact, in almost half of the risk assessments we do on file systems we find thousands of sensitive files open to everyone on the network, and almost no one is monitoring how that data is being used. Too many businesses are just one employee action away from suffering massive fines, especially once the GDPR kicks in next year.”