Feeds

back to article Morrisons supermarket hit by MASSIVE staff payroll data robbery

Morrisons' checkout and shelf-stacking staff across the UK will be anxiously worried about their bank accounts this morning, after the supermaket admitted that thieves had spaffed employee payroll details online. The grocer said on its Facebook page that it had notified all its workers that their personal information had been …

COMMENTS

This topic is closed for new posts.

Page:

"This was an illegal theft of data"

Rather than a legal theft of data?

10
1
Silver badge

Correct, this isn't the NHS you know.

19
0

similar to 'a robbery gone wrong' ?

1
0

Of course, only GCHQ are allowed to legally steal data

3
1
Anonymous Coward

technically speaking

they don't steal. They take it legally (they say). And if you disagree... well, you know what you can do, right? Nothing.

2
0
Silver badge

Rather, an illegal copying of data.

4
1

This post has been deleted by its author

Anonymous Coward

@Mike Brown

Since neither the GCHQ or NSA were involved, it was clearly an illegal theft of data.

0
0

Data Security??

Anyone have any idea if the employee information was obfuscated in any way or if the hackers found it available in plain text?

Morrisons could be open to legal action from every employee who had his/her info stolen if no security measures had been taken with the data. 100,000 is rather a large number after all.

4
1

Re: Data Security??

Nowhere in the article did it mention hackers. Articles from other sources suggest Morrisons believe it was not the work of outside hackers - so presumably an inside job.

6
0
Silver badge
Joke

Re: Data Security??

Yes it was the IT bod.....

Oh the Intranet, make it available on the INTRANET? ooopsie.

2
0
Silver badge
Headmaster

Re: Data Security??

Anyone have any idea if the employee information was obfuscated in any way or if the hackers found it available in plain text?

Well, Alexandra from HR will be royally pissed if she's unable to handle employee data because they were "obfuscated in any way".

Most data stores are not improved by hashing or obfuscating them.

4
0
Silver badge

Re: Data Security??

> Most data stores are not improved by hashing or obfuscating them.

I know PCI-DSS is hard and expensive, but that doesn't mean you can't learn from how we deal with it. Tokenise the data and only get it out of the vault when you absolutely have to. In the meantime, encrypt in transit and encrypt at rest, so even the IT bods with a debugger and a copy of the data store can't see more than what is currently being processed.

A supermarket *can* afford that.

... and finally, surely this was infringement, not theft...

2
0
Anonymous Coward

Re: Data Security??

> any idea if the employee information was obfuscated in any way or if the hackers found it available in plain text?

> Morrisons could be open to legal action

Can you offer a justification as to the legal basis for that? As far as I'm aware, nothing in English law explicitly requires "obfuscation" of personal data in this case.

0
0
FAIL

By payroll data

Do they mean a pay run for the month or do they mean the Payroll departments database?

Wonder who supplies Morrisons payroll services?

0
0

Re: By payroll data

Oracle provides Morrison's payroll (via Wipro) - http://www.wipro.com/Documents/MORRISONS%20CASE%20STUDY-final(curve).pdf

http://www.computerweekly.com/news/2240106307/Former-Whitbread-CIO-joins-Morrisons-as-IT-transformation-director

6
0

Re: By payroll data

There is no mention of WIPRO suppling the payroll data, where did you read that?

0
1

No mention of WIPRO ..

@Amiga500: "There is no mention of WIPRO suppling the payroll data, where did you read that?"

It's in the linked to PDF document ..

link: "WIPRO enabled Morrisons' £30 million business transformation - one of the largest in the world - and helped realize savings in the tune of £7 milliion."

0
1

Re: By payroll data

Well no, Morrisons provide their own data. If you check the first link you'll see the Oracle system was implemented by Wipro

1
0

Re: By payroll data

Yes I did read that but seeing as it's a retail organisation the database is used for their retail side of the business, why did you link that and payrole data? These would be logically seperated

0
0

I remember a few years ago working for a medium sized nation high street retail outlet, after questioning some staff payroll issues I was forwarded a database of every member of staffs payroll information in the whole company, CEO and down, gross salary, perks, bonuses, the lot for a whole year. I did the responsible thing but its so easy for this to happen innocently so long as the workers are not aware of the risks of the data they are playing with, never mind actual theft!

Interestingly, after I had a good look at the whole company structure I was appalled at the pay differences on contractual gross pay alone, even in the top 2/3 tiers, the drop down to the next tier of management was staggering, in the order of a tenth! things dropped in a standard fashion down to regional managers there after and finally the drop to store management was another shocker. Normal store workers and many at HO/DC accounting for the vast majority of staff was of course all minimum wage.

I guess I hadn't realised that even in HO, the pay wasn't that great and even more senior management at HO were getting a fraction of the top 2 or 3 tiers

6
4
Anonymous Coward

" I did the responsible thing "

...

"Interestingly, after I had a good look ..."

A fine example of an upholding and abiding citizen.

8
1
Anonymous Coward

" I did the responsible thing "

...

"Interestingly, after I had a good look ..."

And then posted your analysis on a public Internet forum ®

1
1
Silver badge

IBM did a series of adverts some years back - a title, a sort scene, then the IBM boop-do-be-doop jingle and logo.

The one they did called "Hackers" featured two people looking at a company's payroll information and remarking "wow - that guy earns twice as much as that guy. I bet he doesn't know". To which the other replies: "he does now - I just emailed it to the whole company".

It's not for nothing that IBM picked that particular scenario to scare corporate viewers.

2
0
Anonymous Coward

Re: " I did the responsible thing "

IMHO the secrecy regarding pay differentials is one of the reasons why the high ups in companies earn so much more than the worker bees. There are right ways and wrong ways about publicising what goes on at particular companies. If the intention was just to publicise the pay rates for different jobs, what has happened at Morrisons is most definitely the wrong way.

As a general point , if we don't talk about what different jobs pay, we will never address what I perceive to be the growing wage inequality in British companies. Useful information about payroll costs and pay differentials isn't always published in annual reports. Of course, us proles could all just keep quiet about it, but I wager the people in charge of setting pay do talk to each other. The wage fixing investigations in Silicon Valley over in the US have shown us it does go on.

2
0

Absolutely :) But it was handed over and not a word mentioned, lets be honest here, we can all sit here and say we wouldn't do it, but id hazard a guess and say most of us would take a wee peek.

But given that you or anyone else here doesn't have any idea who I am, and even if they did couldn't pin it down to a company within my vast number of years ive been working, I think its safe to say no one will be the wiser what that information was

0
1
Anonymous Coward

Re: " I did the responsible thing "

Responsible thing ? What's that ?

1) Keep quiet

2) Discreetly tell store union reps if any, possibly get fired.

3) Discreetly tell trade journalists, maybe get fired

4) Indiscreetly tell employees, watch the revolution begin

5) Anonynmously post it on an internet forum

6) Raise your concerns with upper management, get fired

The Reg really needs a multiple choice vote button.

0
0
FAIL

where's the data?

So Wipro was the system integrator, everything including payroll is on Morrisons own installation of Oracle eBusiness Suite. who runs the data centre and where?

1
1

The way to fix staff payroll data theft is fire anyone whose data gets stolen, as long as they are just someone who works there and not important to the company. This is because data theft is against the Company Policy and if a worker's data is stolen it must be their fault because it was their data. Then they are no longer an employee so no laws about employee data security have been broken.

Anyone who complains about this rule also gets fired. Anyone who makes fun of this rule is also fired, unless they are the boss telling a joke in a meeting, in which case everyone who doesn't laugh is fired, unless this was actually a company loyalty test, then random people are fired (for laughing, or not). Everyone taking legal action against the company is fired, not in retaliation, but because if they are talking to lawyers they are not at work, working. Everyone consulting with a lawyer is fired, since the company is paying them and it is against the rules to spend company money on lawyers that don't work for the company.

Everyone in IT is fired. There will be no more IT. IT will be run by one guy from payroll who knows Office and once upgraded Windows on his home computer. If he doesn't work overtime for no extra pay he will be fired.

11
1

That would be funny...

... were it not for the fact I've worked at places where that sort of logic prevailed!!

4
0
Anonymous Coward

Team! Team, team, team, team, team. I even love saying the word ‘team’. You probably think this is a picture of my family? No! It’s a picture of The A-Team. Bodie, Doyle, Tiger, the Jewellery Man.

4
0
Anonymous Coward

Please, don't give them any ideas!

I've worked for this outfit for far too long, and to be honest, I'm surprised it's taken this long for this sort of thing to happen.

But then, they have blamed the recent losses, at least in part, on the recent IT upgrades they have done - they have brought a brand new ordering system in to stores (among other things), it cost at least 8 (possibly 9) digits to bring about, and it is universally despised by every member of staff who comes in to contact with it.

The most laughable thing is the mid-range 11 inch Windows7 tablets we have to use - they run nothing but a Chrome webapp, and are far over-powered for what they are used for, but they rarely if ever work properly - we have 6 in store, 2 refuse to boot and another has a touchscreen that only works on random spots.

I reckon they could have picked up a bunch of 50 Android tabs from Amazon, locked them down, and had them running better for the job than the POS we've ended up with which cost well over a grand a piece.

So yeah, its no surprise that security in the IT department is so lax that payroll details have been leaked - oh, and that whole "We've informed our staff about this" thing - an A4 piece of paper was put on the staff notice board that no-one actually pays any attention to - that is the only official word we have had on the matter.

Posting anon, for obvious reasons.

1
1
Anonymous Coward

Re: Please, don't give them any ideas!

Isn't it fairly general that the big software packages used by big organisations are complete rubbish?

We had an accounting software package at my work (before retirement) that handled everything - stores, spares, timesheets, scheduling etc. It was produced by a large American company (three letter abbreviation but not IBM) and seemed to be used by many other large organisations. It was universally hated and very awkward to use. I used to wonder if the people at the top ever had to use it because I could not imagine them being able to drive it.

0
0
Anonymous Coward

Re: That would be funnier...

If I could still remember a place where that sort of logic DIDN'T prevail

0
0
Angel

Is it theft?

For theft you need to permanently deprive the owner of property?

Now they could have abstracted electricity to copy the date

0
0

A little thing that bugs me...

Why do companies, and it seems to be mainly supermarkets, insist on using the word "colleague" when they mean "employee"?

There's a sign at the local Asda, along the lines of "Don't reach up to this high shelf, ask a colleague for assistance". Well I would, but none of my colleagues are here shopping with me. I think what they mean is "ask an employee" or "ask an assistant".

Is it some sort of politically correct newspeak designed to make employees feel in some way valued or empowered, by not calling them employees? In the same way the people who empty your bins are apparently "operatives"?

10
0

Re: A little thing that bugs me...

Retail Enablement Consultants.

0
0
WTF?

Re: A little thing that bugs me...

A semi-relative spent the summer uni-vacations working at a local store as a member of their "Out-of-Hours Ambient Replenishment team" - better known as a night-time shelf-stacker in the tinned/dried food aisles..

[Seems that in the world of food "ambient" is used as the opposite of chilled or refrigerated].

0
1
Silver badge

Re: A little thing that bugs me...

the people who empty your bins are apparently "operatives"?

I think you mean a Waste management and recycling technician.

0
1
Silver badge

Re: A little thing that bugs me...

I always thought "operatives" are the guys that know about trigger discipline when handling silenced M4s?

1
0
Anonymous Coward

Re: A little thing that bugs me...

Is it some sort of politically correct newspeak?

yes, but it's more than that: there are people in those supermarket chains (way higher that the shop-level staff) who sound like they genuinely believe that the word "colleague" is used in earnest and signifies how much their company values their work. Correction: contribution to the well-being and (always) growth of the company.

1
0
Anonymous Coward

Re: A little thing that bugs me...

The jobs of "operatives handling silenced M4s" have long been outsourced to India, only the Board stays in the UK (don't ask me if they pay taxes, they get paid taxes)

0
1
Silver badge

Re: A little thing that bugs me...

Sometimes people try to dress up a poor job with a fancy title. I bumped into an old friend a while back and I asked them what they were doing now. They said they were an Information Engineer. I was a little surprised because I know what a real Information Engineer is and this person had never when I knew them shown leanings toward anything remotely sophisticated.

Turns out they put content on a website.

A small website.

Using Ctrl-C and Ctrl-V mostly.

1
0
Anonymous Coward

Re: A little thing that bugs me...

4-chan? Where every post is a re-post?

0
0
Silver badge
Coat

Re: A little thing that bugs me...

"Plate Glass Maintenance Engineer"

Err, Window cleaner

0
0

A little more concern over "More of what matters" maybe?

0
0
Silver badge

worried?

Not sure what details are there in the database, but why necessarily would the employees be worried about their bank accounts?

"will be anxiously worried about their bank accounts this morning, after the supermaket admitted that thieves had spaffed employee payroll details online."

Typically knowing someone's name and bank account details allows you to make a transfer TO them. If I want to TAKE money from the account, I need to have one of:

- a bank card link to the account + know the PIN (to make ATM withdrawal)

- some sort of one-time-key security dongle + knowledge of a PIN or password (online banking)

- a photo ID having my photo plus name on the account, plus many times also teh physical bank card (to make an in-person withdrawal at the bank)

Of course that's assuming the banks have good security procedures in place...

3
1

Re: worried?

"... [only] allows you to make a transfer TO them..."

That's what Jeremy Clarkson thought too. Google jeremy clarkson bank account hacked

4
2

Re: worried?

Oh FFS stop it.

If an unauthorised DD comes out of your account just ring your bank and tell them, the money is instantly recalled and the DD cancelled with no damage done, used it many times when "administrative errors" result in my monthly bills getting FUBARed by various companies.

2
2

Re: worried?

Wot you like hanging on the line to explain to the call center people that it wasn't you?

It is something you shouldn't have to do ever.

something similar happened the wife. The withdrawl went over a limit the account got blocked so call center people couldn't even see anything on their screens. Branch phone nymber diverts you to said call center. Seeing as we weren't in the uk at that time it was a royal pain. Withdrawl wasn't to a charity/utility either.

3
0

Page:

This topic is closed for new posts.