SUPERMARKET DATA SWEEP
Talking of insider threats, the 2014 Morrisons breach makes our biggest breach list not because the 100,000 employee records compromised was so large – but rather because the methodology was so unsophisticated, yet so successful.
Andrew Skelton, who worked for Morrisons in Bradford, uploaded a database of sensitive information about his fellow workers, including bank details and salaries, to an external site. He was able to access the database using the credentials of another employee and was somehow allowed to copy the data and then upload it, unencrypted, to a public file-sharing service. Morrisons was found to be vicariously liable by a High Court judge in the first successful case of a UK data leak class action suit, which was brought by 5,000 staff members.
“The fact that the breach was unsophisticated is actually what makes it so scary,” said Egress Software Technologies CEO, Tony Pepper. “This ruling will have sent chills up the spines of many board members, who know that the risks of an employee leaking data are all too high. A recent survey of UK employees showed that one in four workers had maliciously leaked business data, and a further 35% admitted to sending sensitive information over email by accident.”
With GDPR around the corner, organisations large and small are going to have to start taking internal access to data more seriously or suffer the financial consequences.