back to article Morrisons supermarket hit by MASSIVE staff payroll data robbery

Morrisons' checkout and shelf-stacking staff across the UK will be anxiously worried about their bank accounts this morning, after the supermaket admitted that thieves had spaffed employee payroll details online. The grocer said on its Facebook page that it had notified all its workers that their personal information had been …

COMMENTS

This topic is closed for new posts.
  1. Mike Brown

    "This was an illegal theft of data"

    Rather than a legal theft of data?

    1. The BigYin

      Correct, this isn't the NHS you know.

    2. TheRealRoland

      similar to 'a robbery gone wrong' ?

    3. Cripes Chief!

      Of course, only GCHQ are allowed to legally steal data

      1. Anonymous Coward
        Anonymous Coward

        technically speaking

        they don't steal. They take it legally (they say). And if you disagree... well, you know what you can do, right? Nothing.

    4. Destroy All Monsters Silver badge

      Rather, an illegal copying of data.

    5. This post has been deleted by its author

    6. Anonymous Coward
      Anonymous Coward

      @Mike Brown

      Since neither the GCHQ or NSA were involved, it was clearly an illegal theft of data.

  2. Creamy-G00dness

    Data Security??

    Anyone have any idea if the employee information was obfuscated in any way or if the hackers found it available in plain text?

    Morrisons could be open to legal action from every employee who had his/her info stolen if no security measures had been taken with the data. 100,000 is rather a large number after all.

    1. Tom Wood

      Re: Data Security??

      Nowhere in the article did it mention hackers. Articles from other sources suggest Morrisons believe it was not the work of outside hackers - so presumably an inside job.

      1. Anonymous Coward
        Joke

        Re: Data Security??

        Yes it was the IT bod.....

        Oh the Intranet, make it available on the INTRANET? ooopsie.

    2. Destroy All Monsters Silver badge
      Headmaster

      Re: Data Security??

      Anyone have any idea if the employee information was obfuscated in any way or if the hackers found it available in plain text?

      Well, Alexandra from HR will be royally pissed if she's unable to handle employee data because they were "obfuscated in any way".

      Most data stores are not improved by hashing or obfuscating them.

      1. P. Lee Silver badge

        Re: Data Security??

        > Most data stores are not improved by hashing or obfuscating them.

        I know PCI-DSS is hard and expensive, but that doesn't mean you can't learn from how we deal with it. Tokenise the data and only get it out of the vault when you absolutely have to. In the meantime, encrypt in transit and encrypt at rest, so even the IT bods with a debugger and a copy of the data store can't see more than what is currently being processed.

        A supermarket *can* afford that.

        ... and finally, surely this was infringement, not theft...

    3. Anonymous Coward
      Anonymous Coward

      Re: Data Security??

      > any idea if the employee information was obfuscated in any way or if the hackers found it available in plain text?

      > Morrisons could be open to legal action

      Can you offer a justification as to the legal basis for that? As far as I'm aware, nothing in English law explicitly requires "obfuscation" of personal data in this case.

  3. nsld
    FAIL

    By payroll data

    Do they mean a pay run for the month or do they mean the Payroll departments database?

    Wonder who supplies Morrisons payroll services?

    1. petboy

      Re: By payroll data

      Oracle provides Morrison's payroll (via Wipro) - http://www.wipro.com/Documents/MORRISONS%20CASE%20STUDY-final(curve).pdf

      http://www.computerweekly.com/news/2240106307/Former-Whitbread-CIO-joins-Morrisons-as-IT-transformation-director

      1. Amiga500

        Re: By payroll data

        There is no mention of WIPRO suppling the payroll data, where did you read that?

        1. pacman7de

          No mention of WIPRO ..

          @Amiga500: "There is no mention of WIPRO suppling the payroll data, where did you read that?"

          It's in the linked to PDF document ..

          link: "WIPRO enabled Morrisons' £30 million business transformation - one of the largest in the world - and helped realize savings in the tune of £7 milliion."

        2. petboy

          Re: By payroll data

          Well no, Morrisons provide their own data. If you check the first link you'll see the Oracle system was implemented by Wipro

          1. Amiga500

            Re: By payroll data

            Yes I did read that but seeing as it's a retail organisation the database is used for their retail side of the business, why did you link that and payrole data? These would be logically seperated

  4. Davie Dee

    I remember a few years ago working for a medium sized nation high street retail outlet, after questioning some staff payroll issues I was forwarded a database of every member of staffs payroll information in the whole company, CEO and down, gross salary, perks, bonuses, the lot for a whole year. I did the responsible thing but its so easy for this to happen innocently so long as the workers are not aware of the risks of the data they are playing with, never mind actual theft!

    Interestingly, after I had a good look at the whole company structure I was appalled at the pay differences on contractual gross pay alone, even in the top 2/3 tiers, the drop down to the next tier of management was staggering, in the order of a tenth! things dropped in a standard fashion down to regional managers there after and finally the drop to store management was another shocker. Normal store workers and many at HO/DC accounting for the vast majority of staff was of course all minimum wage.

    I guess I hadn't realised that even in HO, the pay wasn't that great and even more senior management at HO were getting a fraction of the top 2 or 3 tiers

    1. Anonymous Coward
      Anonymous Coward

      " I did the responsible thing "

      ...

      "Interestingly, after I had a good look ..."

      A fine example of an upholding and abiding citizen.

      1. Anonymous Coward
        Anonymous Coward

        " I did the responsible thing "

        ...

        "Interestingly, after I had a good look ..."

        And then posted your analysis on a public Internet forum ®

        1. Anonymous Coward
          Anonymous Coward

          Re: " I did the responsible thing "

          IMHO the secrecy regarding pay differentials is one of the reasons why the high ups in companies earn so much more than the worker bees. There are right ways and wrong ways about publicising what goes on at particular companies. If the intention was just to publicise the pay rates for different jobs, what has happened at Morrisons is most definitely the wrong way.

          As a general point , if we don't talk about what different jobs pay, we will never address what I perceive to be the growing wage inequality in British companies. Useful information about payroll costs and pay differentials isn't always published in annual reports. Of course, us proles could all just keep quiet about it, but I wager the people in charge of setting pay do talk to each other. The wage fixing investigations in Silicon Valley over in the US have shown us it does go on.

        2. Anonymous Coward
          Anonymous Coward

          Re: " I did the responsible thing "

          Responsible thing ? What's that ?

          1) Keep quiet

          2) Discreetly tell store union reps if any, possibly get fired.

          3) Discreetly tell trade journalists, maybe get fired

          4) Indiscreetly tell employees, watch the revolution begin

          5) Anonynmously post it on an internet forum

          6) Raise your concerns with upper management, get fired

          The Reg really needs a multiple choice vote button.

      2. Davie Dee

        Absolutely :) But it was handed over and not a word mentioned, lets be honest here, we can all sit here and say we wouldn't do it, but id hazard a guess and say most of us would take a wee peek.

        But given that you or anyone else here doesn't have any idea who I am, and even if they did couldn't pin it down to a company within my vast number of years ive been working, I think its safe to say no one will be the wiser what that information was

    2. h4rm0ny

      IBM did a series of adverts some years back - a title, a sort scene, then the IBM boop-do-be-doop jingle and logo.

      The one they did called "Hackers" featured two people looking at a company's payroll information and remarking "wow - that guy earns twice as much as that guy. I bet he doesn't know". To which the other replies: "he does now - I just emailed it to the whole company".

      It's not for nothing that IBM picked that particular scenario to scare corporate viewers.

  5. ducatis'r us
    FAIL

    where's the data?

    So Wipro was the system integrator, everything including payroll is on Morrisons own installation of Oracle eBusiness Suite. who runs the data centre and where?

  6. DNTP

    The way to fix staff payroll data theft is fire anyone whose data gets stolen, as long as they are just someone who works there and not important to the company. This is because data theft is against the Company Policy and if a worker's data is stolen it must be their fault because it was their data. Then they are no longer an employee so no laws about employee data security have been broken.

    Anyone who complains about this rule also gets fired. Anyone who makes fun of this rule is also fired, unless they are the boss telling a joke in a meeting, in which case everyone who doesn't laugh is fired, unless this was actually a company loyalty test, then random people are fired (for laughing, or not). Everyone taking legal action against the company is fired, not in retaliation, but because if they are talking to lawyers they are not at work, working. Everyone consulting with a lawyer is fired, since the company is paying them and it is against the rules to spend company money on lawyers that don't work for the company.

    Everyone in IT is fired. There will be no more IT. IT will be run by one guy from payroll who knows Office and once upgraded Windows on his home computer. If he doesn't work overtime for no extra pay he will be fired.

    1. Anonymous Coward
      Anonymous Coward

      That would be funny...

      ... were it not for the fact I've worked at places where that sort of logic prevailed!!

      1. Anonymous Coward
        Anonymous Coward

        Re: That would be funnier...

        If I could still remember a place where that sort of logic DIDN'T prevail

    2. Anonymous Coward
      Anonymous Coward

      Team! Team, team, team, team, team. I even love saying the word ‘team’. You probably think this is a picture of my family? No! It’s a picture of The A-Team. Bodie, Doyle, Tiger, the Jewellery Man.

    3. Anonymous Coward
      Anonymous Coward

      Please, don't give them any ideas!

      I've worked for this outfit for far too long, and to be honest, I'm surprised it's taken this long for this sort of thing to happen.

      But then, they have blamed the recent losses, at least in part, on the recent IT upgrades they have done - they have brought a brand new ordering system in to stores (among other things), it cost at least 8 (possibly 9) digits to bring about, and it is universally despised by every member of staff who comes in to contact with it.

      The most laughable thing is the mid-range 11 inch Windows7 tablets we have to use - they run nothing but a Chrome webapp, and are far over-powered for what they are used for, but they rarely if ever work properly - we have 6 in store, 2 refuse to boot and another has a touchscreen that only works on random spots.

      I reckon they could have picked up a bunch of 50 Android tabs from Amazon, locked them down, and had them running better for the job than the POS we've ended up with which cost well over a grand a piece.

      So yeah, its no surprise that security in the IT department is so lax that payroll details have been leaked - oh, and that whole "We've informed our staff about this" thing - an A4 piece of paper was put on the staff notice board that no-one actually pays any attention to - that is the only official word we have had on the matter.

      Posting anon, for obvious reasons.

      1. Anonymous Coward
        Anonymous Coward

        Re: Please, don't give them any ideas!

        Isn't it fairly general that the big software packages used by big organisations are complete rubbish?

        We had an accounting software package at my work (before retirement) that handled everything - stores, spares, timesheets, scheduling etc. It was produced by a large American company (three letter abbreviation but not IBM) and seemed to be used by many other large organisations. It was universally hated and very awkward to use. I used to wonder if the people at the top ever had to use it because I could not imagine them being able to drive it.

    4. Mullerrad
      Angel

      Is it theft?

      For theft you need to permanently deprive the owner of property?

      Now they could have abstracted electricity to copy the date

  7. Dangermouse 1

    A little thing that bugs me...

    Why do companies, and it seems to be mainly supermarkets, insist on using the word "colleague" when they mean "employee"?

    There's a sign at the local Asda, along the lines of "Don't reach up to this high shelf, ask a colleague for assistance". Well I would, but none of my colleagues are here shopping with me. I think what they mean is "ask an employee" or "ask an assistant".

    Is it some sort of politically correct newspeak designed to make employees feel in some way valued or empowered, by not calling them employees? In the same way the people who empty your bins are apparently "operatives"?

    1. Tom Wood

      Re: A little thing that bugs me...

      Retail Enablement Consultants.

    2. Tanuki
      WTF?

      Re: A little thing that bugs me...

      A semi-relative spent the summer uni-vacations working at a local store as a member of their "Out-of-Hours Ambient Replenishment team" - better known as a night-time shelf-stacker in the tinned/dried food aisles..

      [Seems that in the world of food "ambient" is used as the opposite of chilled or refrigerated].

      1. h4rm0ny

        Re: A little thing that bugs me...

        Sometimes people try to dress up a poor job with a fancy title. I bumped into an old friend a while back and I asked them what they were doing now. They said they were an Information Engineer. I was a little surprised because I know what a real Information Engineer is and this person had never when I knew them shown leanings toward anything remotely sophisticated.

        Turns out they put content on a website.

        A small website.

        Using Ctrl-C and Ctrl-V mostly.

        1. Anonymous Coward
          Anonymous Coward

          Re: A little thing that bugs me...

          4-chan? Where every post is a re-post?

    3. Anonymous Coward
      Anonymous Coward

      Re: A little thing that bugs me...

      the people who empty your bins are apparently "operatives"?

      I think you mean a Waste management and recycling technician.

      1. Destroy All Monsters Silver badge

        Re: A little thing that bugs me...

        I always thought "operatives" are the guys that know about trigger discipline when handling silenced M4s?

        1. Anonymous Coward
          Anonymous Coward

          Re: A little thing that bugs me...

          The jobs of "operatives handling silenced M4s" have long been outsourced to India, only the Board stays in the UK (don't ask me if they pay taxes, they get paid taxes)

    4. Anonymous Coward
      Anonymous Coward

      Re: A little thing that bugs me...

      Is it some sort of politically correct newspeak?

      yes, but it's more than that: there are people in those supermarket chains (way higher that the shop-level staff) who sound like they genuinely believe that the word "colleague" is used in earnest and signifies how much their company values their work. Correction: contribution to the well-being and (always) growth of the company.

    5. Velv Silver badge
      Coat

      Re: A little thing that bugs me...

      "Plate Glass Maintenance Engineer"

      Err, Window cleaner

  8. FredBloggs61

    A little more concern over "More of what matters" maybe?

  9. James Micallef Silver badge

    worried?

    Not sure what details are there in the database, but why necessarily would the employees be worried about their bank accounts?

    "will be anxiously worried about their bank accounts this morning, after the supermaket admitted that thieves had spaffed employee payroll details online."

    Typically knowing someone's name and bank account details allows you to make a transfer TO them. If I want to TAKE money from the account, I need to have one of:

    - a bank card link to the account + know the PIN (to make ATM withdrawal)

    - some sort of one-time-key security dongle + knowledge of a PIN or password (online banking)

    - a photo ID having my photo plus name on the account, plus many times also teh physical bank card (to make an in-person withdrawal at the bank)

    Of course that's assuming the banks have good security procedures in place...

    1. xerocred

      Re: worried?

      "... [only] allows you to make a transfer TO them..."

      That's what Jeremy Clarkson thought too. Google jeremy clarkson bank account hacked

      1. Jason 24

        Re: worried?

        Oh FFS stop it.

        If an unauthorised DD comes out of your account just ring your bank and tell them, the money is instantly recalled and the DD cancelled with no damage done, used it many times when "administrative errors" result in my monthly bills getting FUBARed by various companies.

        1. xerocred

          Re: worried?

          Wot you like hanging on the line to explain to the call center people that it wasn't you?

          It is something you shouldn't have to do ever.

          something similar happened the wife. The withdrawl went over a limit the account got blocked so call center people couldn't even see anything on their screens. Branch phone nymber diverts you to said call center. Seeing as we weren't in the uk at that time it was a royal pain. Withdrawl wasn't to a charity/utility either.

    2. Anonymous Coward
      Anonymous Coward

      Re: worried?

      This attitude, prevalent in Britain, has always amused me somewhat. This is a nation who think giving out your bank account number is dangerous but insist on using cheques. They think ID cards are dangerous but proving your identity with a gas bill is fine.

      Brits are very resistant to any kind of change, so they bring out some well publicized case while ignoring the fact that the old system is clearly broken.

      It's one of the many endearing idiosyncracies about the UK, along with other band-aid solutions like hot water bottles, carpets and thick curtains. The rest of us build our homes warm and draft free.

      But I love Brits and the UK to bits. The Shire wouldn't be the same if hobbits lived any other way.

      1. xerocred

        Re: worried?

        "... who think giving out your bank account number is dangerous ..."

        A basic tenet of security is 'need to know'. The whole population doesn't need to know anything about me and my bank account. I like to keep it that way.

      2. jbuk1

        Re: worried?

        No one I know has used cheques for years. Does anyone even get a cheque book with their account anymore? If you'd been talking about the USA maybe.

        I think you're a little misguided with your assertions as towards the UK though.

    3. JMB

      Re: worried?

      'worried?

      Not sure what details are there in the database, but why necessarily would the employees be worried about their bank accounts?

      "will be anxiously worried about their bank accounts this morning, after the supermaket admitted that thieves had spaffed employee payroll details online."

      Typically knowing someone's name and bank account details allows you to make a transfer TO them. If I want to TAKE money from the account, I need to have one of:

      - a bank card link to the account + know the PIN (to make ATM withdrawal)

      - some sort of one-time-key security dongle + knowledge of a PIN or password (online banking)

      - a photo ID having my photo plus name on the account, plus many times also teh physical bank card (to make an in-person withdrawal at the bank)

      Of course that's assuming the banks have good security procedures in place...'

      Like the fuss someone will make about giving their bank account number online yet will send a cheque by mail to a complete stranger and what does the cheque have printed on it ............

  10. Anonymous Coward
    Anonymous Coward

    Theft not hack

    This appears to have been a theft of data not a hack.

    Someone needs access to payroll data in an organisation and if those people decide to steal it, it can be very difficult to prevent them from doing so. I know we all love to jump to conclusions but I haven't seen anything to suggest that this isn't the sort of attack that almost any organisation might fall victim to.

    1. Velv Silver badge
      Terminator

      Re: Theft not hack

      Doesn't matter if it was theft or hack, were sufficient measures put in place to attempt to prevent the loss of the data?

      Since >80% of data loss incidents occur from inside, that is where the focus of protection should be.

      It's hard to restrict the DBA of the HR system from accessing the data, but you wouldn't expect the web admin to have access. Edward Snowdon demonstrates that you can never prevent every loss, but only the ICO report will reveal if this was a leak through bad controls as well as bad people.

  11. TeleC

    Interesting coincidence?

    Considering they posted a major profit warning this week, I wouldn't be surprised if this was someone 'looking into' where that profit really went, or who's getting rich off of it.

    1. Destroy All Monsters Silver badge

      Re: Interesting coincidence?

      Monsieur Besancenot, please go!

  12. cd

    "We are liaising with the police and highest level of cyber crime authorities."

    That is reassuring.

    1. JMB

      ' "We are liaising with the police and highest level of cyber crime authorities."

      That is reassuring.'

      Translates as the boss is asking his son who has an XBox

  13. eJ2095

    Not one to ask BUT

    Why was the payroll data even linked / put on there website server?

    also wasn't Morrison lagging behind with there on-line shopping anyway?

    Only wanted my Grocery's and ended up with a payroll.. (Wonder if you can get the Morrison's Fuel saver on this....)

    1. Velv Silver badge
      Headmaster

      Re: Not one to ask BUT

      "Why was the payroll data even linked / put on there website server?"

      It wasn't.

      It was "stolen and then uploaded onto a website"

  14. Lyndon Hills 1

    strange

    Some have pointed out that the article doesn't say it was external crackers, and so it might be an inside job. While possibly the case, if you had access as an insider, why would you post all the details online? Morrisons will obviously call in experts (and police as they've said), so I'd worry about being caught, and surely the consequences of this would far outweigh the lolz gained? The perp also sent it to a newspaper, increasing the avenues for investigation.

  15. Mark 85 Silver badge

    Included Bank Account info??

    Ok.. so any money on who got the word first in order to get the bank to change their account number? Either the CEO or the junior stock person in the warehouse? And I'd lay odds that every senior staff member disappeared to their bank as soon as they were told and didn't have wait until the end of their shift like everyone else.

  16. Frumious Bandersnatch Silver badge

    bank accounts

    The banks should allow you to set up "aliases" for your bank account. They generate a new account number that is linked to your main bank account and then you give that account number to your employer or whoever needs to transfer money into your account. Make the account only available for inwards funds transfer, so that if the account details are stolen, they're of precious little use to anyone. (sort of like how you can get disposable, pre-pay credit card numbers)

    At a stroke, this would solve the problem that these data breaches cause. They should also extend the "alias" idea so that you could set up separate payment accounts that you use for different recurring bills.

    It seems simple and effective, but am I missing some obvious gotcha?

    1. Anonymous Coward
      Anonymous Coward

      Re: bank accounts

      Citibank send me my credit card statement with card number helpfully obfuscated like:

      1234-4567-89XX-XXX

      However, helpfully printed on the bottom of the statement, on the 'do not write here' return slip it has the full card number in clear text.

      So what could possibly go wrong with your great idea?

    2. Anonymous Coward
      Anonymous Coward

      Re: bank accounts

      Sounds like one of the many features of BITCOIN, in fact.

  17. Anonymous Coward
    Anonymous Coward

    "The grocer said on its Facebook page"

    Well. there's part of ya problem!

  18. This post has been deleted by its author

  19. I. Aproveofitspendingonspecificprojects

    A family firm that eats its workers

    They use the fact that the firm is a "family run business" as an introduction to their agencies' induction process. Some of the videos shown at the induction indicate the family is a bunch of cut throats but oddly that doen't put anyone off. Being unemployed trumps frightened rabbit every time.

    The agency(s?) steal potential money from potential employees before said potential employee even gets a job. It is all to do with the forms you fill in and the permissions you have to give. Thay are just like the formsyou fill in online when you join MSN Groups and end up agreeing top all the spam hell can send you.

    They use agencies to employ temproray staaff so that they can be let go without any comebacks. At the interview, the hopeful are ordered to give details of their accounts "for payments to be made" when eventually employed.

    The details are then used to access the account and take out a small amount regularly. Most people notice and stop it but a lot -enough, don't see it until too late.

  20. Anonymous Coward
    Anonymous Coward

    Current data only??

    Does anyone know if the data was only current employees?

    Morrisons made a lot of people redundant ~6 months back. It is unlikely that Morrisons will be contacting their ex-employees to say "sorry but we still have your financial info on our systems and now its been stolen".

    Enquiring ex-employees need to know if they are at risk.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019