Morrisons supermarket succumbs to insider threat

Staff pay and bank details posted by suspected insider at Morrisons.

Morrisons supermarket succumbs to insider threat
Morrisons supermarket succumbs to insider threat

On 13 March Britain's number four grocer, Morrisons, discovered that the pay data and bank account details for some 100,000 of its 132,000 employees had been published on the internet and sent to a newspaper.

It appears to not be a cyber attack, other than the fact that the stolen data was also published on the internet.  Nonetheless, the incident clearly illustrates how perimeter defences can be side-stepped by a well placed malicious insider, and the information security industry has been quick to suggest what might have been done to mitigate the threat.

Reuters reporters say that a company spokesperson told them: "Initial investigations suggest that this theft was not the result of an external penetration of our systems. We can confirm there has been no loss of customer data and no colleague will be left financially disadvantaged," adding that it is working with the police and cyber crime authorities to identify the source of the theft.

Darren Anstee, Arbor Networks commented to SCMagazineUK.com: “Companies must have incident handling response plans and teams in place to minimise the impact of any breach. Managing an incident like this efficiently can actually enhance reputation, if done well.”

In this regard, Paul Kenyon, co-founder and EVP of global sales at Avecto said in an email to SCmagazineUK.com: "We should give Morrisons credit as it has done all the right things in the aftermath. It reported the theft to the authorities, urgently reviewed its internal security measures and ensured its response is being led right from the top of the company.  It's difficult to defend against the insider threat but there are steps that can be taken. Limiting the number of administrative accounts and controlling access efficiently can go a long way to minimising the risk."

For Mark James, Technical Director at ESET UK, this means appreciating that detection is as important as protection, and in comments to SCMagazineUK.com said: “Appropriate security policies should be implemented to ensure alarms are raised as soon as unusual behaviour is detected. Should these hurdles be overcome, the proactive use of encryption should ensure sensitive data cannot be used for any meaningful purpose should it get into the wrong hands.”

George Anderson, Product Marketing Director at Webroot, emailed SCMagazineUK.com agreeing with this approach, adding that, “A well-developed and executed data security policy should be able to protect against all sorts of breaches, including internal ones. The best approach to security is to create a layered defence. It should encompass everything from identity protection and strong authentication like passwords, PIN and biometrics, to data encryption which ensures even compromised information can only be used by those with the necessary deciphering encryption keys and permissions”.

Paul Ayers, VP EMEA at enterprise data security firm Vormetric concludes: “This latest incident suggests that organisations are still struggling to protect their data resources from those already legitimately ‘inside the fence'. Organisations must be regularly assessing their security position and, more importantly, constantly monitoring their IT systems to detect and respond to data breaches as soon as they happen.  In turn, encryption of all data must be viewed as a mandatory, life-saving seatbelt. It's only with a deep level of security intelligence and data-centric security that businesses will be able to spot suspicious activity as and when it occurs, and stop outside attackers and rogue employees alike in their tracks.”