Insider Threat Breach at Morrisons
Supreme Court Rules on Data Breach Responsibility
In a significant finding, the UK’s Supreme Court has overturned a High Court judgment that previously held the supermarket liable for a maliciously motivated insider data breach.
As a major moment in the history of insider threat cases, the Supreme Court’s unanimous judgement clears Morrisons supermarket of the ‘vicarious liability’ being claimed against it; a case stemming from a data breach of thousands of employees’ personal data.
Costing the company a reported £2 million to rectify, the Morrisons insider threat breach occurred in 2014 and saw nearly 100,000 employees’ payroll data disseminated online. A breach which occurred as a result of a disgruntled Morrisons auditor who, holding a grudge against the company for a disciplinary matter, stole and published copies of the data with the hopes of damaging his employer’s reputation.
Malicious Insider Leaked 100,000 Employees’ Sensitive Data
The individual responsible, Andrew Skelton, was sentence to eight years for fraud, though a group of over 5,000 employees took the supermarket to court for the ‘upset and distress’ caused by the leak, claiming their employer was partially to blame for Skelton’s actions.
Originally finding Morrisons responsible for the actions of its employee, a 2017 High Court ruling was the first instance of ‘vicarious liability’ being applied to a case of misuse of information; emphasising the risk that insider threat not only poses to data security, but to organisational liability.
Responsibility for Data Breaches
Lord Reed, the president of the Supreme Court stated, “Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta.” A decision which has left 9,000 claimants, according to their legal representation “hugely disappointed”.
Though the Supreme Court has found in favour of the supermarket’s appeal, the case does set a clear legal principle that organisations can be held vicariously liable for the actions taken by an employee which result in a data breach, just not in this case.
A spokesperson for Morrisons said of the breach: “The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.”
As so much sensitive data is handled by companies and the potential ease with which a rogue employee can copy such information, it’s no wonder that cases such as this are being closely watched by companies across the UK.
It may come as a surprise to some, but over 60% of organisations have experienced an insider threat. At the same time the cost of insider threats continues to rise, with an estimated 31% increase from $8.76 million in 2018 to $11.45 million in 2020.
Though in the face of a ‘personal vendetta’, as is the case with the Morrisons insider threat breach, or an attack motivated by unseen malice, it may seem organisations are without recourse, there is always more that can be done to mitigate the risk of insider threat actors; starting with robust information security awareness training.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
What is a phishing text message? "smishing" is still a significant threat. Blog by Information Security training provider Hut Six Security.
It has been reported that a significant cyber attack has been launched against the World Health Organisation. Information Security blog by Hut Six Security.
Information security tips to help safeguard any organisation. Blog by Information Security Awareness Training Provider Hut Six Security.
What is phishing and how can you avoid it? The essential Anti-Phishing Training Guide from information security awareness platform Hut Six Security.
In times of sudden change, be it a natural disaster, electronic failures or global pandemics, having a business continuity plan is essential. But what should you do if you don't have one?
Phishing attacks are using the COVID-19 Coronavirus as a means of attracting unsuspecting individuals. Information Security blog from Hut Six Security.
SME Security is No Picnic: problem in Chair not in Computer. Information security blog by information security awareness training provider Hut Six Security.
How Does the Data Protection Act Affect Businesses? Rights, Obligations and Important Concepts. Blog by Hut Six Security.
Google Warning Over Huawei Devices: Huawei concerns continue. - blog by Information Security Awareness Training provider Hut Six Security
How Much Compensation for Breach of Data Protection Act? Your Data Rights and Right to Compensation. Blog by Hut Six Security.