Over 5000 Morrisons staff are suing the supermarket chain after their personal and financial data was leaked by a disgruntled insider.
The current and former employees want to be compensated for “upset and distress” caused by the incident, but Morrisons claims it is not liable.
However, the retail giant was awarded £170,000 in compensation for the leak at the time, while its staff got nothing, argued Jonathan Barnes, counsel for the 5518 employees.
“The judge was sure that the employees were victims too, and it is those victims who have received no compensation for their distress or loss of control of the situation," he said, according to the BBC.
"We say that, having entrusted the information to Morrisons, we should now be compensated for the upset and distress caused by what we say was a failure to keep safe that information.”
Andrew Skelton was a senior internal auditor at the Morrisons head office in Bradford when he leaked the details of nearly 100,000 supermarket employees, a breach which is said to have cost the firm over £2m to mitigate.
The leaked data – which was posted online and sent to several newspapers in 2014 – included NI numbers, birth dates and bank account details.
These details would certainly be enough for internet scammers to attempt identity fraud or follow-on phishing attacks.
Skelton is serving eight years after being found guilty in 2015. The incident apparently stemmed from a grudge he harbored against his employer after he was cautioned for using the company's mail room to sell legal highs on eBay.
David Emm, principal security researcher at Kaspersky Lab, argued that insider threats are a major challenge to organizations, accounting for 38% of all targeted attacks.
“Employees rank at the very top of the list of threats to data and systems. Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness,” he explained.
“When insider-assisted attacks do occur, the impact of such attacks can be devastating as they provide a direct route to the most valuable information; in this case, customer data.”
Emm urged organizations to manage insider risk by improving staff training and awareness programs (bolstered by robust policies), restrict access to the most sensitive IT systems, perform regular security audits and use threat intelligence services.