A lawsuit by Morrisons’ staff over a data breach that exposed personal data underlines the importance and potential impact of insider threats.
Although awareness of the information security risks posed by compromised or disgruntled insiders is rising, few organisations are taking adequate steps to detect and shut down insider attacks.
Thousands of Morrisons’ employees are to sue the supermarket giant in what is believed to be the UK’s biggest ever claim in relation to a breach of data security.
The news comes just a week after Sony Pictures announced an $8m settlement with former employees affected by data leaks that followed a cyber attack on the company in 2014.
The lawsuit claimed Sony knew confidential employee data was inadequately protected before the breach.
Under the settlement, Sony will pay up to $10,000 to each claimant for identity theft losses, up to $1,000 each to cover the cost of credit-fraud protection services and up to $3.5m to cover legal fees.
Responding to the Sony settlement agreement, some commentators said it should be a warning to all businesses that customers, employees and stakeholders can demand more than ever before.
“It is therefore imperative that businesses of all sizes are taking every possible effort to secure personal data as a standard procedure, not as an afterthought in response to a data breach,” said Bill Berutti, president of cloud, datacentre and performance businesses at IT services firm BMC.
The case against Morrisons relates to the posting on the internet of the bank, salary and National Insurance details of almost 100,000 members of staff by a former colleague with a grudge.
Andrew Skelton was jailed for eight years in July 2015 following a trial at Bradford Crown Court, which heard that he sent the information to newspapers and placed it on data sharing websites.
Skelton, who worked as a senior internal auditor at Morrisons’ Bradford head office, had previously been suspected of dealing controlled drugs at work.
More than 2,000 of his former colleagues now plan to pursue a group claim against the retailer following a hearing before senior master Barbara Fontaine at the Queen’s Bench Division of the High Court in London.
Risk of identity theft
Nick McAleenan, a data privacy lawyer at JMW Solicitors, said there will be a four-month period in which other Morrisons’ employees who were affected could join the group action.
“The case has important implications for every employee and every employer in the country. Whenever employers are given personal details of their staff, they have a duty to look after them.
“That is especially important given that most companies now gather and manage such material digitally and, as a result, it can be accessed and distributed relatively easily if the information is not protected,” he said.
McAleenan said that Morrisons failed to prevent a data leak that exposed tens of thousands of its employees to the very real risk of identity theft and potential loss.
“In particular, my clients are worried about the possibility of money being taken from their bank accounts and – in the case of younger clients – negative consequences for their credit rating.”
Skelton’s trial was told that he took Morrisons’ payroll information and then leaked the details of 99,998 employees after being disciplined for a previous incident in which he was accused of using the company’s mailroom to ship parcels to his private eBay customers.
McAleenan said the claim to be filed by his clients would allege that Morrisons was ultimately responsible for breaches of privacy, confidence and data protection law.
“I expect that we may well see other employees who might have been dissuaded from making a claim on their own deciding to join with their colleagues because of the group momentum that has now been established.”
Even before Morrisons’ employees decided to sue the retailer, security industry commentators said the breach demonstrated the seriousness of insider threats.
According to the Online Alliance Trust, almost one-third of data breaches in 2014 were caused either accidentally or maliciously by employees.
But research published by the Sans Institute in April 2015 shows that while insider threats are a key concern for security professionals, 40% of businesses polled had no systems in place to address this concern, while 32% said they lacked appropriate policies and procedures to deal with insider threats.
“Spotting cyber security incidents arising from inside a company can be particularly tricky because the perpetrator may have legitimate access – and in the case of the Morrisons breach, he did. It’s the classic Trojan Horse scenario,” said Luke Brown, vice-president and general manager for Europe at security firm Digital Guardian.
“However, there are numerous technologies out there designed to spot insider threats, and small investments can go a long way,” he said.
According to Brown, deploying data aware cyber security systems removes the risk factor associated with disgruntled employees and insider threats because even if someone has access to the data, they are prevented from copying, moving or deleting it without approval.
“Organisations and businesses must prioritise security to fully protect their most valuable asset – their sensitive data, which is simply irreplaceable once lost,” he said.
According to security industry commentators, breaches linked to insiders demonstrate that organisations still struggle to protect their data from those already legitimately “inside the fence”.
Whatever the motive, they say insider-related breaches are typically missed because of ineffective management of “privileged” users on corporate networks.
Every organisation has employees or contractors with privileged network access rights, and experts say a failure to control these users is often a weak link in an organisation’s data security defences.