Staff Data at UK Grocery Chain BreachedPersonal Info, Including Bank Account Details, Exposed
See Also: Rethinking Response
The company, in a Facebook post detailing the incident, says the data was illegally stolen, although details are sketchy as to how the information was exfiltrated from the company. A request for additional information was not immediately returned.
The incident could be the result of an internal leak, according to UK publication The Guardian.
The employee information was posted to an unspecified location on the web for a few hours, The Guardian says. A disc containing the data was also mailed to local Yorkshire, England newspaper The Telegraph & Argus by an anonymous individual claiming to be "a concerned Morrisons shopper." Details of about 100,000 staff members were included on the disc, the newspaper says.
BBC News reports that an employee at Morrisons has been arrested following the data compromise. Morrisons confirmed the arrest with the media outlet, saying it will continue to work with the police.
After learning about the compromise, Morrisons worked to ensure the data was removed from the website. Compromised information includes names, addresses and bank account details of company employees, Morrisons says. Employees at all levels within the organization were impacted.
"Our immediate priority is the security of your financial information," the statement says. "We are currently working with Experian and the major banks to ensure that we provide full support and assistance to all affected colleagues. This will include support and advice around protection of your bank account."
Morrisons is working with law enforcement to investigate the incident. A dedicated e-mail address has been set up to answer questions regarding the breach.
"We are very sorry that this has happened," Morrisons says in the statement. "We will ensure that no colleague will be left financially disadvantaged as a result of this theft."
In weighing Morrisons' breach response, Francoise Gilbert, founder and managing director of the IT Law Group, says the company is reaching out to its personnel in the "most expedient manner. Certainly, using a Facebook post might help spread the word."
"Usually companies also send e-mails directly to the affected people," Gilbert says. "It is not clear how many employees were affected and whether it is practical for the company to send a blast e-mail, and how long it would take to arrange one."
Attorney Ronald Raether of Faruki Ireland & Cox LLP says the company should have referenced the remedial measures and resources more. "Maybe this is cultural," Raether says. "Why not [mention] a leading expert [is assisting in response]? Why not say you're working with banks to secure card numbers?"