Insider Threat Breach at Morrisons

Supreme Court Rules on Data Breach Responsibility

In a significant finding, the UK’s Supreme Court has overturned a High Court judgment that previously held the supermarket liable for a maliciously motivated insider data breach.

As a major moment in the history of insider threat cases, the Supreme Court’s unanimous judgement clears Morrisons supermarket of the ‘vicarious liability’ being claimed against it; a case stemming from a data breach of thousands of employees’ personal data.

Costing the company a reported £2 million to rectify, the Morrisons insider threat breach occurred in 2014 and saw nearly 100,000 employees’ payroll data disseminated online. A breach which occurred as a result of a disgruntled Morrisons auditor who, holding a grudge against the company for a disciplinary matter, stole and published copies of the data with the hopes of damaging his employer’s reputation.

Malicious Insider Leaked 100,000 Employees’ Sensitive Data

The individual responsible, Andrew Skelton, was sentence to eight years for fraud, though a group of over 5,000 employees took the supermarket to court for the ‘upset and distress’ caused by the leak, claiming their employer was partially to blame for Skelton’s actions.

Originally finding Morrisons responsible for the actions of its employee, a 2017 High Court ruling was the first instance of ‘vicarious liability’ being applied to a case of misuse of information; emphasising the risk that insider threat not only poses to data security, but to organisational liability.

Responsibility for Data Breaches

Lord Reed, the president of the Supreme Court stated, “Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta.” A decision which has left 9,000 claimants, according to their legal representation “hugely disappointed”.

Though the Supreme Court has found in favour of the supermarket’s appeal, the case does set a clear legal principle that organisations can be held vicariously liable for the actions taken by an employee which result in a data breach, just not in this case.

A spokesperson for Morrisons said of the breach: “The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.”

Insider Threat

As so much sensitive data is handled by companies and the potential ease with which a rogue employee can copy such information, it’s no wonder that cases such as this are being closely watched by companies across the UK.

It may come as a surprise to some, but over 60% of organisations have experienced an insider threat. At the same time the cost of insider threats continues to rise, with an estimated 31% increase from $8.76 million in 2018 to $11.45 million in 2020.

Though in the face of a ‘personal vendetta’, as is the case with the Morrisons insider threat breach, or an attack motivated by unseen malice, it may seem organisations are without recourse, there is always more that can be done to mitigate the risk of insider threat actors; starting with robust information security awareness training.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


Phishing Text Message Examples

What is a Phishing Text Message?

What is a phishing text message? "smishing" is still a significant threat. Blog by Information Security training provider Hut Six Security.

Opportunist Cyber Criminals

Cyber Criminals Always There to Exploit a Crisis

It has been reported that a significant cyber attack has been launched against the World Health Organisation. Information Security blog by Hut Six Security.

6 SME Security Tips For SMEs

6 Business Critical Information Security Tips for SMEs

Information security tips to help safeguard any organisation. Blog by Information Security Awareness Training Provider Hut Six Security.

Anti-Phishing Training for Small Businesses

The Essential Anti-Phishing Training Guide for SMEs

What is phishing and how can you avoid it? The essential Anti-Phishing Training Guide from information security awareness platform Hut Six Security.

Business Continuity Plan

What to Do if you Don’t Have a Business Continuity Plan

In times of sudden change, be it a natural disaster, electronic failures or global pandemics, having a business continuity plan is essential. But what should you do if you don't have one?

COVID-19 Phishing Attacks

Phishers Exploiting COVID-19 Coronavirus

Phishing attacks are using the COVID-19 Coronavirus as a means of attracting unsuspecting individuals. Information Security blog from Hut Six Security.

Small Business Security Basics

SME Security is No Picnic

SME Security is No Picnic: problem in Chair not in Computer. Information security blog by information security awareness training provider Hut Six Security.

Data Protection Act for Businesses

How Does the Data Protection Act Affect Businesses?

How Does the Data Protection Act Affect Businesses? Rights, Obligations and Important Concepts. Blog by Hut Six Security.

Huawei Devices trigger a Google Warning

Google Warning Over Huawei Devices

Google Warning Over Huawei Devices: Huawei concerns continue. - blog by Information Security Awareness Training provider Hut Six Security

Data Protection Act Compensation

How Much Compensation for Breach of Data Protection Act?

How Much Compensation for Breach of Data Protection Act? Your Data Rights and Right to Compensation. Blog by Hut Six Security.

Speak to us about your Cyber Awareness