Details Of 100,000 Morrisons Staff Stolen In Major Data Theft

Thousands of staff at the supermarket chain Morrisons have had their personal details stolen and published online by hackers, the company has revealed.

The bank details and home addresses of up to 100,000 workers were among the details taken in the security breach, which is believed to have been the result of an internal leak.

The data, which covered employees from executive level to those on the shop floor, was apparently copied onto a portable storage device and taken out of Morrisons’ Bradford headquarters, before being sent anonymously to Yorkshire local paper the Telegraph & Argus, by “a concerned Morrisons shopper”.

Urgent review

In a statement on its Facebook page, the company stressed that no customer data had been taken, and that it was working with police to identify the source of the theft, which “initial inquiries” suggested was not the result of an external breach of its security systems. The company would now also be “urgently reviewing our internal data security measures”, the statement said.

Morrisons said that all the staff details published were put on an unspecified location on the web for a few hours, but were taken down immediately when discovered. The attack comes just one day after the supermarket chain announced that it made a loss of £176 million in 2013, and pledged to cut prices to compete with low-budget supermarkets such as Aldi and Lidl.

“We have already informed our colleagues about the theft and we are helping them take the appropriate actions to safeguard their personal data,” Morrisons said, adding that the company had contacted staff via email and its Facebook page to inform them of the leak, and had also set up an email address for questions. The company also said that “no colleague will be left financially disadvantaged” and that it was now working with UK banks and credit check service Experian to help colleagues secure their bank accounts.

Morrisons is far from the only major retailer to have been hit by data theft attacks recently. In January, US online retailer Target has disclosed that as many as 70 million of its customers were affected in a major data breach it experienced. A similar attack last month nicknamed ‘ChewBacca’ also infected systems at more than 45 retailers in order to steal their customers’ credit- and debit-card details.

“Morrison’s breach serves as a timely reminder that organisations can no longer take a ‘this won’t happen to me’ approach when it comes to securing sensitive data,” said George Anderson, product marketing director at Webroot. “It highlights how easy it can be for sensitive data to be abused and fall into the wrong hands, even if those are a disgruntled employees’ hands rather than hackers’. It also underlines the importance of having the right confidentiality, integrity and access data security policies in place.

“Today’s breach is a lesson for all businesses. Sensitive and personally identifiable information customer data is valuable and organisations must ensure they act responsibly with it. The only way is to take a structured, multi-layer approach to security that is updated and reviewed on regular basis to keep one step ahead of new threats – whether they’re internal or external”.

Are you a security pro? Try our quiz!