Morrisons supermarket hit by MASSIVE staff payroll data robbery Morrisons' checkout and shelf-stacking staff across the UK will be anxiously worried about their bank accounts this morning, after the supermaket admitted that thieves had spaffed employee payroll details online. The grocer said on its Facebook page that it had notified all its workers that their personal information had been …
This attitude, prevalent in Britain, has always amused me somewhat. This is a nation who think giving out your bank account number is dangerous but insist on using cheques. They think ID cards are dangerous but proving your identity with a gas bill is fine.
Brits are very resistant to any kind of change, so they bring out some well publicized case while ignoring the fact that the old system is clearly broken.
It's one of the many endearing idiosyncracies about the UK, along with other band-aid solutions like hot water bottles, carpets and thick curtains. The rest of us build our homes warm and draft free.
But I love Brits and the UK to bits. The Shire wouldn't be the same if hobbits lived any other way.
'worried?
Not sure what details are there in the database, but why necessarily would the employees be worried about their bank accounts?
"will be anxiously worried about their bank accounts this morning, after the supermaket admitted that thieves had spaffed employee payroll details online."
Typically knowing someone's name and bank account details allows you to make a transfer TO them. If I want to TAKE money from the account, I need to have one of:
- a bank card link to the account + know the PIN (to make ATM withdrawal)
- some sort of one-time-key security dongle + knowledge of a PIN or password (online banking)
- a photo ID having my photo plus name on the account, plus many times also teh physical bank card (to make an in-person withdrawal at the bank)
Of course that's assuming the banks have good security procedures in place...'
Like the fuss someone will make about giving their bank account number online yet will send a cheque by mail to a complete stranger and what does the cheque have printed on it ............
This appears to have been a theft of data not a hack.
Someone needs access to payroll data in an organisation and if those people decide to steal it, it can be very difficult to prevent them from doing so. I know we all love to jump to conclusions but I haven't seen anything to suggest that this isn't the sort of attack that almost any organisation might fall victim to.
Doesn't matter if it was theft or hack, were sufficient measures put in place to attempt to prevent the loss of the data?
Since >80% of data loss incidents occur from inside, that is where the focus of protection should be.
It's hard to restrict the DBA of the HR system from accessing the data, but you wouldn't expect the web admin to have access. Edward Snowdon demonstrates that you can never prevent every loss, but only the ICO report will reveal if this was a leak through bad controls as well as bad people.
Some have pointed out that the article doesn't say it was external crackers, and so it might be an inside job. While possibly the case, if you had access as an insider, why would you post all the details online? Morrisons will obviously call in experts (and police as they've said), so I'd worry about being caught, and surely the consequences of this would far outweigh the lolz gained? The perp also sent it to a newspaper, increasing the avenues for investigation.
Ok.. so any money on who got the word first in order to get the bank to change their account number? Either the CEO or the junior stock person in the warehouse? And I'd lay odds that every senior staff member disappeared to their bank as soon as they were told and didn't have wait until the end of their shift like everyone else.
The banks should allow you to set up "aliases" for your bank account. They generate a new account number that is linked to your main bank account and then you give that account number to your employer or whoever needs to transfer money into your account. Make the account only available for inwards funds transfer, so that if the account details are stolen, they're of precious little use to anyone. (sort of like how you can get disposable, pre-pay credit card numbers)
At a stroke, this would solve the problem that these data breaches cause. They should also extend the "alias" idea so that you could set up separate payment accounts that you use for different recurring bills.
It seems simple and effective, but am I missing some obvious gotcha?
Citibank send me my credit card statement with card number helpfully obfuscated like:
1234-4567-89XX-XXX
However, helpfully printed on the bottom of the statement, on the 'do not write here' return slip it has the full card number in clear text.
So what could possibly go wrong with your great idea?
This post has been deleted by its author
They use the fact that the firm is a "family run business" as an introduction to their agencies' induction process. Some of the videos shown at the induction indicate the family is a bunch of cut throats but oddly that doen't put anyone off. Being unemployed trumps frightened rabbit every time.
The agency(s?) steal potential money from potential employees before said potential employee even gets a job. It is all to do with the forms you fill in and the permissions you have to give. Thay are just like the formsyou fill in online when you join MSN Groups and end up agreeing top all the spam hell can send you.
They use agencies to employ temproray staaff so that they can be let go without any comebacks. At the interview, the hopeful are ordered to give details of their accounts "for payments to be made" when eventually employed.
The details are then used to access the account and take out a small amount regularly. Most people notice and stop it but a lot -enough, don't see it until too late.
Does anyone know if the data was only current employees?
Morrisons made a lot of people redundant ~6 months back. It is unlikely that Morrisons will be contacting their ex-employees to say "sorry but we still have your financial info on our systems and now its been stolen".
Enquiring ex-employees need to know if they are at risk.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
