Wm. Morrison, one of the UK's largest supermarket chains, has had the details of more than 100,000 staff stolen. While far fewer people have been affected by this data theft than in others recently reported
The theft covers the payroll records of staff employed by the company and the firm has stated no customer records have been compromised.
Morrison's experience, from the initial investigations, appears to have originated from inside the company and not one undertaken over the Internet, and so its a little different from many of the most commonly reported incidents, but it is a important reminder to business of the first principles of IT security. Protect all your important data.
The company announced a profits warning to the markets on Thursday that saw the share price fall by 10% as Chief Executive Dalton Philips stated a round of price cutting to enable the business to meet the threat of discount chains Lidl and Aldi.
Less than 48 hours after his statements he is leading the response team investigating the Data Theft and working with West Yorkshire Police and other crime crime bodies.
For a lot of CISO's and IT people a focus on Internet orientated threats is understandable, most need to be doing far more to protect the information flowing in and out of the business over the Web.
The observation we'd make though is that business must maintain a far more complete picture of the data it holds, how its used and where any risks may lie.
Payroll data provides a rich mix of information for thieves. Names and addresses, bank codes and National Insurance and phones numbers are all usually held. With this quality of data on offer its not hard to see why cyber criminals would want access to the system.
The company has started supporting its personnel providing information and advice on the steps they need to take to protect themselves and mitigate any impact. Through Facebook
a number of current and former staff expressed concern and confusion.
Managing information security effectively does require vigilance and this theft of data should remind business and the insurance sector that despite the challenges being faced from cyber risk the job should start with the data and systems you have the most control over ... those within your company.
It has been suggested that this a revenge or 'Hackivist' attack undertaken to embarrass the company as the information was sent to a newspaper though details there is a lack of information on when the data was stolen and if there was any attempt to sell it through the 'Dark Net' [insert Link Glossary].
Currently legislators in Europe and the US are looking at increasing the pressure on organisations to secure information through tougher fines of up to 5% of global turnover for serious breaches. While not currently in force or applicable and just to illustrate the point if this was successfully applied to the Wm Morrison incident the cost would be around £850million.
This an an eye watering amount of money that certainly would get the attention of the board, the markets and stakeholders and shows just how seriously government is taking the matter of IT and Cyber Security.
The lesson of Morrisons to all business is don't just focus on Cyber Risk, safeguard all the data you are responsible for everywhere!