Morrisons supermarket held liable after employee leaks data
Morrisons supermarket held liable after employee leaks data

Supermarket chain Morrison's was found liable, in a first of its kind data leak class action suit, for the actions of a former employee who stole the data on thousands of his co-workers and posted it online.

The case is considered important by many as it shows the extent at which an employer can be held accountable for an employee's actions and stems from a 2014 incident in which then employee Andrew Skelton stole the data of 100,000 staff members, the BBC reported.

Skelton's actions were carried out over what appeared to be a grudge over an incident when he was accused of dealing so-called legal highs at work.

Names, addresses, bank account details and salaries were leaked online and sent to newspapers. Skelton was sentenced to eight years in prison for his actions after being found guilty of fraud, securing unauthorised access to computer material and disclosing personal data.

Matt Lock, director of sales engineers at Varonis comments: "The court decision sets a precedent and sends a very effective message to UK citizens who have become victims of breaches - they can have their day in court and receive recompense for the stress, worry and sleepless nights. With the GDPR deadline looming in May, companies are running out of time and out of excuses. They need to bolster their defences and prepare for the next attack, whether that's by a company insider or contractor with a score to settle or by criminal attackers".

"This ruling underscores the essential need to limit access to sensitive information only employees who absolutely need it. And, even for insiders who do have rightful access, monitoring that access to detect malicious behaviour like that of Skelton could help detect and prevent disasters like this. Governing bodies are calling for companies to provide comprehensive data security controls, and those that fail to lock down their data will pay the price".

In an email to SC Media UK Paul Norris, senior systems engineer - EMEA at Tripwire, said:  "The biggest chink in the security amour is humans. Despite many of us being trustworthy individuals, there are those insiders that break and severely damage this trust. An insider is the worst possible attack, but is also the hardest thing to uncover. How can you determine one's motive? Morrison's was none the wiser that this individual was going to leak such critical data. It is extremely difficult to vet everyone who has access to the various networks and sensitive data".