UPDATED: Morrisons staff payroll data stolen and published on the internet

Morrisons promises that "no colleague will be left financially disadvantaged"

Employee payroll data has been stolen from Morrisons, with staff warned this morning to check with their banks to make sure that their accounts have not been compromised.

The supermarket chain discovered the breach last night, when the details were published on the internet. The website has since been taken down and staff informed of the breach.

The theft of the data came to light after a local newspaper in Yorkshire, where the supermarket group is based, was sent a disc containing the information by a "concerned Morrisons shopper".

This morning, Morrisons responded by emailing staff to warn them of the breach, as well as posting a message on its Facebook page.

"We are extremely sorry to inform you that there has been a theft of colleagues' personal information, which was uploaded onto a website. As soon as we became aware of this last night we took immediate steps to ensure the data was removed from the website. It was closed down within hours of us being notified," the company told staff in a circular.

It went on to assert that it was "an illegal theft of data" rather than an error by a member of staff. The company says that it is liaising with police and the "highest level of cyber crime authorities".

It continued: "The information included names, addresses and bank account details of colleagues. This affects colleagues from all levels of the organisation. Our immediate priority is the security of your financial information. We are currently working with Experian and the major banks to ensure that we provide full support and assistance to all affected colleagues. This will include support and advice around protection of your bank account."

The company has set up a special email address - [email protected] - and claims that CEO Dalton Philips is "leading the response".

It finished: "We are very sorry that this has happened. We will ensure that no colleague will be left financially disadvantaged as a result of this theft."

While Morrisons has refused to answer press questions about the breach, IT experts, naturally, have been much quicker to comment.

"By the tactics used, the behaviour is more of revenge or hacktivism because the perpetrators wanted the stolen data to be public," said Tim Keanini, chief technology officer of network security company Lancope.

He continued: "If they were cyber criminals, it would have been harder to find in the initial stages because it would have been for sale on some darknet and for a price. Also, the data being sent to a newspaper is another telling sign of the attacker wanting it to be a very public event."

There were also questions over how much data the attackers might have acquired. "I find it interesting that the attackers only went after the employee data when all the customer data that is stored could have been stolen and 'monetized'. Either it was taken, and they don't know it yet, or this is clearly not the cyber criminal profile in that this prize would have been much larger in numbers and would yield a higher price on the 'dark markets'," added Keanini.

While Morrisons' incident response has been 'okay', he said, it raises questions over the extent of computer security measures the company has implemented across its networks.

"They probably did not have the advance telemetry installed prior to the event to aid in the forensic investigation... If this was an insider threat, security tools like firewalls and intrusion-detection systems don't alarm because the attackers are using valid accounts to move around your network.

"Which account accessed this human resources system in the past 60 days? Why is an employee snooping around these file systems when they have never done this before? All of these behaviours show up like red flag if you have the right incident response readiness," said Keanini.

Paul Ayers, vice president of EMEA at security software company Vormetric, also questioned the security that Morrisons might have to combat insider threats.

"The question needs to be asked, why do so many organisations still have such inadequate policies in light of recent 'insider threat' headlines and incidents [reported] worldwide? Our own research showed that 73 per cent of organisations failed to block privileged user access to sensitive data," said Ayers.

Often, this means that staff can freely roam server directory structures without even having to enter a password. Not only should staff access be restricted, but data ought to be encrypted as standard, too.

"Organisations must regular assess their security position and constantly monitor their IT systems to detect and respond to data breaches as soon as they happen. In turn, encryption of all data must be viewed as a mandatory, life-saving seatbelt. It's only with a deep level of security intelligence and data-centric security that businesses will be able to spot suspicious activity as and when it occurs, and stop outside attackers and rogue employees alike in their tracks," said Ayers.