back to article Don't make us pay compensation for employee data breach, Morrisons begs UK court

Lawyers for supermarket chain Morrisons today urged the UK Court of Appeal to overturn an earlier judgment that made the company partly liable for a criminal data breach that saw 100,000 people’s payroll details published via Tor. Four years ago a disgruntled Morrisons employee, Andrew Skelton, who had legitimate access to the …

  1. Velv Silver badge
    Boffin

    While the employee had legitimate access, were Morrison’s controls on its staff sufficient to make the breach difficult or detectable? Clearly not as ithe breach was only discovered when it was published on Tor. So Morrison’s must bear some liability.

    1. Jason Bloomberg Silver badge

      I would tend to agree. Morrison's shouldn't be allowing employees to walk out with sensitive and personal information they shouldn't take with them.

      Everyone appreciates it's not always possible to stop ne'er do wells doing what they shouldn't, and full-cavity body searches at pub o'clock are likely inappropriate, but the original hearing determined that Morrison's clearly had not done enough to prevent the theft of confidential data.

      But Morrison's do have a point: if Parliamentary legislation excludes them from being held vicariously liable then they should be off the hook for that.

      1. DavCrav Silver badge

        "Everyone appreciates it's not always possible to stop ne'er do wells doing what they shouldn't, and full-cavity body searches at pub o'clock are likely inappropriate, but the original hearing determined that Morrison's clearly had not done enough to prevent the theft of confidential data."

        If the standard to which companies will be held is 'was it physically possible to stop this from happening by some means?' then all employees will have to be subject to the cavity searches, because small cameras exist.

      2. Anonymous Coward
        Anonymous Coward

        Morrisons was not at fault

        This is factually incorrect. Morrisons was explicitly found not to have been at fault. It it had been at vault, it would have been liable rather than vicariously liable. It's all clearly set out in the judgement which anyone can read - I have.

    2. Anonymous Coward
      Anonymous Coward

      Morrisons vicariously liable but not at fault

      If you read the judgement from the original trial, you will see that that Morrisons was found not to have breached the Data Protection Act and indeed was not found to have been at fault at all. Without wishing to go into the detail of the law on vicarious liability, Morrisons was held to be vicariously liable for the criminal actions of its employee but that does not imply any fault and the judge was quite clear that Morrisons did not act unlawfully.

      Imagine that an employee takes a photograph of a sensitive document to which he or she had authorised access, how is an employer supposed to detect that?

      1. LucreLout Silver badge

        Re: Morrisons vicariously liable but not at fault

        Imagine that an employee takes a photograph of a sensitive document to which he or she had authorised access, how is an employer supposed to detect that?

        Why does the employee need a personal device in the workspace? Go chat to anyone that's worked at a hedgie or on a trading floor and you'll pretty quickly see that lots of places dealing with sensitive info don't permit personal phones.

        If Morrisons chooses to run that risk then they should rightly be considered to have chosen to be liable.

        Security is always a balance, but then, so are operational costs. Fines when an employee goes rogue are part of the cost of doing business. It's not like their customers or most staff get any say in the hiring process.

        1. Roland6 Silver badge

          Re: Morrisons vicariously liable but not at fault

          >Why does the employee need a personal device in the workspace?

          Remember BYOD?

          Also I presume you have (successfully) lobbied your employer to ban employees having personal devices in the workplace and thus you yourself don't carry a personal mobile phone....

          1. LucreLout Silver badge

            Re: Morrisons vicariously liable but not at fault

            Also I presume you have (successfully) lobbied your employer to ban employees having personal devices in the workplace and thus you yourself don't carry a personal mobile phone....

            You presume wrong. I haven't lobbied for anything. The company has its own rules that long pre-date my working here, so yes, my personal mobile goes into a locker before I go onto the trading floor. Everyones does. It's really no kind of problem at all.

            1. Roland6 Silver badge

              Re: Morrisons vicariously liable but not at fault

              >so yes, my personal mobile goes into a locker before I go onto the trading floor.

              Right now understand where you are coming from...

              When I started work (pre-mobile phones) making private phone calls whilst at work was a hassle, I'm not sure if we can easily get back to this state of affairs or whether it is desirable.

              As an external consultant, since the mid 1990's I have nearly always turned up at client sites with my personal phone and laptop (ie. my tools which are owned by my business) - only leaving them in the bag/car/at home when the client provides 'tools' and specifies non-use of third-party equipment on their premises.

              However, for the probably the vast majority of enterprises it is now a well established practise for people to carry around their own personal mobile phone/tablet, which may or may not be connected to the corporate IT (whether on the guest network or in many cases directly on the corporate network!!).

    3. Anonymous Coward
      Anonymous Coward

      NHS?

      I'm keen to see how the judgement pans out as an employee in the NHS I have concerns over the handling of data and we lack the funds in my opinion to appropriately protect it or even detect a breach. A lot of goodwill is expected but one rogue staff member is all it takes.

  2. Pete 2

    You shouldn't be able to get to there from here.

    > ... who had legitimate access to the company’s entire payroll, published its contents online using anonymising network Tor.

    While that part is undeniable, the employer should have protections in place to prevent a (legitimate) user from either taking a copy of the data to remove from the workplace, or from being able to upload it to an off-site location.

    If that means that users' PCs don't have any ability to plug USB drives (or anything else) in, that would be a definite step forward. It would also stop people loading dodgy stuff onto a PC or server.

    It it further means there needs to be an air gap between internal systems holding sensitive data and anything with a public internet access then that would be a good thing, too.

    One could possibly go further and question the need for any office computer to have general-purpose internet access, at all.

    Having those restrictions in place would also go a hell of a long way to stopping the reverse: bad people gaining access to sensitive data from outside the building.

    1. DonL

      Re: You shouldn't be able to get to there from here.

      "It it further means there needs to be an air gap between internal systems holding sensitive data and anything with a public internet access then that would be a good thing, too."

      That would indeed be the only way to stop this kind of thing from happening.

      It would be helpful if they included these requirements in EU laws or guidelines. I don't think a lot of companies are doing this currently and it is therefore extremely easy for rogue employees to leak data (Either by email, http upload, ftp or USB). Also, employee privacy laws make it very difficult to detect these kind of things.

    2. DavCrav Silver badge

      Re: You shouldn't be able to get to there from here.

      "It [sic] it further means there needs to be an air gap between internal systems holding sensitive data and anything with a public internet access then that would be a good thing, too."

      These are payroll computers. So they communicate with HMRC. What you are saying is that, every day, the updated HMRC stop orders, new tax codes, etc., should be verbally read off the office computer with Internet access, then dictated onto the computer that deals with payroll. (Because you also want no USB access for this computer as well.) And back again: updated PAYE details at the end of each month have to be dictated onto the Internet-enabled computer.

      That won't lead to any errors ever. And still won't stop people with cameras.

      Finance offices deal with invoices from companies, pay credit card bills for company cards, and many other things. All of which need the Internet.

      1. Pete 2

        Re: You shouldn't be able to get to there from here.

        > All of which need the Internet.

        But it doesn't need a public internet connection.

        It just needs the specific ports to the specific address / URL. And the same applies to bank access. There is no reason for a finance computer to ever need access to Google, BBC, ToR, Facebook or anything apart from a few dedicated, preferably hard-wired, connections. Ones that would be audited and under change control.

        1. Roland6 Silver badge

          Re: You shouldn't be able to get to there from here.

          >There is no reason for a finance computer to ever need access to ... anything apart from a few dedicated, preferably hard-wired, connections.

          There speaks someone who has never worked in or observed an accounts/financials department...

          You are also assuming the guy was accessing the (compromised) database from a finance department designated PC...

        2. Loyal Commenter Silver badge

          Re: You shouldn't be able to get to there from here.

          Computer security is easy, for anyone who has never had any sort of involvement in it.

          For anyone who actually knows about it, they know it is Hard. Reading a few of Bruce Schneier's blogs, or some of his books will give you a sense of just how hard it is.

          Often companies whose main business is computer security get it wrong. Morrisons is a supermarket.

        3. Nick Ryan Silver badge

          Re: You shouldn't be able to get to there from here.

          It just needs the specific ports to the specific address / URL. And the same applies to bank access. There is no reason for a finance computer to ever need access to Google, BBC, ToR, Facebook or anything apart from a few dedicated, preferably hard-wired, connections. Ones that would be audited and under change control.

          A nice thought, in principle. However with SSL, load balancers, CDNs and anti-DOS protection services it just doesn't, and can't work in practice.

    3. jabuzz

      Re: You shouldn't be able to get to there from here.

      The thing is it is almost impossible to stop someone who wants to getting data off a system. I am sure you could write say a PowerShell script to display a series of QR codes or even just a blinking square of the screen from a file that I can capture via video on my mobile phone with an app that turned them back into the original file and then walk out the building. How do you propose stopping me do that? Perhaps I can get the PowerShell script in through the simple expediency of emailing a PDF of the source to myself.

      A 200GB microSD card is £55 on Amazon with a 400GB one only £130. If you willing to pay through the nose you can get a 512GB one too though it will set you back £290.

      Would Morrisons be vicarious liable if an employee walked into a store and gunned people down?

      1. katrinab Silver badge

        Re: You shouldn't be able to get to there from here.

        "Would Morrisons be vicarious liable if an employee walked into a store and gunned people down?"

        Yes they would, and there was actually a case along those lines in 2016, except that the employee attacked the customer with his fists rather than a gun.

        1. Anonymous Coward
          Anonymous Coward

          Re: You shouldn't be able to get to there from here.

          This is correct and an example of where the law on vicarious liability needs to be reviewed. If an employee goes rogue, despite all the best efforts of his or her employer, the employer should not automatically be vicariously liable for the employee's actions.

  3. Anonymous Coward
    Anonymous Coward

    English Idio.....

    British English, as opposed to Australian English takes "Compo" as an abbreviation of either Composition (mixture) or Compost, of interest mainly to bricklayers, taxidermists and gardeners.

    Kindly talk proper, like what the Queen does.

    1. Roj Blake Silver badge

      Re: English Idio.....

      I'm a Brit, and I regularly use compo as either an abbreviation of compensation or as a reference to an elderly scruffy Yorkshireman.

      1. Locky

        Re: English Idio.....

        As an elderly, scruffy Yorkshireman, I approve

    2. Das Schaf

      Re: English Idio.....

      In my 50 years of speaking and listening to British English in various parts of the country, I have never heard the word Compo used in any other context but as an abbreviation for Compensation.

      1. Commswonk Silver badge

        Re: English Idio.....

        I have never heard the word Compo used in any other context but as an abbreviation for Compensation.

        For some of us the word "Compo" will always mean "Compo (composite) Rations" unless the context clearly indicates otherwise.

      2. Spoonsinger

        Re: English Idio.....

        However I'm of similar 50 year standing to the above but only ever heard it as 'Comp'. The additional 'o' probably allows the speaker to emphasize their supposed barrow boy roots to their target audience.

        1. Anonymous Coward
          Anonymous Coward

          Re: English Idio.....

          Bit classist of you, that.

          1. werdsmith Silver badge

            Re: English Idio.....

            "i is gunna get a new stereo 4 me Corsa wid me ppi compo money innit"

            Is the usual sort of context.

    3. tiggity Silver badge

      Re: English Idio.....

      @ Simon B-52

      When. Brits hear "Compo" they think of a character off a dismal TV comedy (that was bizarrely popular with certain people and so limped on for decades). Wonder what a brexshiteer/last of Venn diagram would be like...

      1. HolySchmoley

        Re: English Idio.....

        @ tiggity

        'When. Brits hear "Compo" they think of a character off a dismal TV comedy...'

        Careful. You sound like https://en.wikipedia.org/wiki/Victor_Meldrew

    4. Anonymous Coward
      Anonymous Coward

      Re: English Idio.....

      "Kindly talk proper, like what the Queen does."

      In British English, Compo was Clegg's friend.

    5. Anonymous Coward
      Anonymous Coward

      Re: English Idio.....

      compo is quite clearly short for compoke-this-ere-deadferret

    6. sorry, what?
      Devil

      Re: English Idio.....

      It seems that someone eradicated use of that abbreviation - I certainly can't find it.

      Personally, as a native Brit of rather more years than I care to mention, it's not an abbreviation I'd have used for any of the suggested words. I'd have said "dosh" instead of "compensation", "mix" for "composition" and "muck" for "compost".

    7. HolySchmoley

      Re: English Idio.....

      "British English, as opposed to Australian English takes "Compo" as an abbreviation of ..."

      Not to mention a well-know inhabitant of Holmfirth

      https://en.wikipedia.org/wiki/Last_of_the_Summer_Wine

  4. alain williams Silver badge

    I do have some sympathy for Morrisons

    Andrew Skelton was not a director, neither was he part of a team doing something 'furthering corporate aims' that resulted in the data loss or, as is often the case, not doing things that they clearly should have done to prevent the data loss. In order to operate a company does need to trust some individuals, it is not possible to lock everything down so that someone internal trying to nick data can be prevented 100% of the time.

    Andrew Skelton should have the book thrown at him, he pay the fine, if it means that he looses his house then so be it - it might act as a deterrent for others.

    This should, however, not be used as an excuse to allow all corporations off the hook by blaming everything on rogue employees.

    1. Gordon 10 Silver badge
      Stop

      Re: I do have some sympathy for Morrisons

      Not sure I do - he was an auditor for gawds sake. Surely he should have been monitored more closely? Its the accounting version of not monitoring your sys admins.

      1. John Brown (no body) Silver badge

        Re: I do have some sympathy for Morrisons

        "Not sure I do - he was an auditor for gawds sake. Surely he should have been monitored more closely? Its the accounting version of not monitoring your sys admins."

        You can't argue with an Auditor

    2. Anonymous Coward
      Anonymous Coward

      Re: I don't have any sympathy for Morrisons

      it is not possible to lock everything down so that someone internal trying to nick data can be prevented 100% of the time

      IME most companies do very little in terms of real data security. Yes, everybody has to jump through hoops and train in respect of DPA and GDPR, but leakage still it goes on. Despite the ready availability of suitable technology, most companies don't use any proper access control and monitoring of sensitive files and databases. Emailing large files in and out is too easy (but should rarely be necessary if the company provides the right tools, although few do), simple approaches like disabling demountable storage are overlooked, etc etc. Yes, if security had been better and he'd been clever enough he might have found a way - but that doesn't appear to be the case. And even then, Morrisons were the custodians, they were the ones who lost it. If I put £500 in the bank, I expect them to keep it safe, rather than say "it wasn't us, it was that rotten armed robber". As an auditor, this twit should have had access on demand for almost anything, but that doesn't mean that he should have uncontrolled, unmonitored access, nor the ability to ex-filtrate data.

      Morrisons are fools for pursuing this case, because it refreshes public memory that they were incompetent (in my view, as per above), and it shows them in denial. Having being ordered by a court to pay, they should then have arranged a suitable non-disclosure settlement to keep it from bobbing up in the press. Instead the twerps try and appeal. I hope they lose. And I'll bear this in mind for future discretionary purchases so that no matter how small, their poor response has a commercial impact.

      1. Roland6 Silver badge

        Re: I don't have any sympathy for Morrisons

        >Morrisons are fools for pursuing this case

        Err no. You do realise that if Morrisons lose, JMW will have opened the door wide for all the other ambulance chasers...

        Remember this case isn't about the data breach as such but "compensation for the distress caused". Given Morrisons was awarded £170,000 in compensation, it would seem that a cup of coffee from the Morrisons in-store cafe for every employee is about the right level of compensation...

      2. eldakka Silver badge

        Re: I don't have any sympathy for Morrisons

        Having being ordered by a court to pay, they should then have arranged a suitable non-disclosure settlement to keep it from bobbing up in the press.

        Once you have been ordered by the court to pay, you no longer have the option of setting your own conditions (i.e. requiring a NDA). You can only do that before a court judgement is made and then having the case dismissed (or never lodging it in the first place) before said judgement is reached.

    3. Anonymous Coward
      Anonymous Coward

      Re: I do have some sympathy for Morrisons

      If Morrisons are found guilty then that means the court is stating that no employer can trust any of its employees.

      What could possibly go wrong...

  5. Anonymous Coward
    Anonymous Coward

    I'm guessing my opinion is going to be unpopular but here it is.

    If as part of his role he should have had access to payroll data and he agreed to sign off on confidentiality then Morrisons are not to blame.

    If Morrisons are found to be at blame then that will require a huge shift in IT policy, access and permissions across many organisations.

    I'm on the side of Morrisons on this one. The perpetrator has already been jailed.

    1. Anonymous Coward
      Anonymous Coward

      "If as part of his role he should have had access to payroll data and he agreed to sign off on confidentiality then Morrisons are not to blame."

      They should be. This wasn't a nation state grade, zero day, fully stealthed APT, it was some knob end employee with a grudge. He simply shouldn't have bulk access to download virtually the entire payroll data. Even in his job, where's the real day to day requirement to take a local copy of that sort of data? I've worked close to these systems, and even had work machines contaminated with unnecessary personal data - but as I wasn't dodgy nothing bad happened. But it shouldn't have been possible.

      So I think you're wrong. Blaming rogue third parties for your company's data loss is merely lazy, third rate defensiveness.

      1. Roland6 Silver badge

        >I've worked close to these systems, and even had work machines contaminated with unnecessary personal data - but as I wasn't dodgy nothing bad happened. But it shouldn't have been possible.

        It is surprising how many IT people throw their toys out of the pram when you limit their access to systems, many seem to think that it is okay that they can access ALL systems and ALL data because "they ain't doing anything dodgy".

        In the new world, I wonder how many IT people realise that having such access now puts them at the top of any list of suspects when an unauthorised data disclosure happens...

    2. Anonymous Coward
      Anonymous Coward

      Spot on

      This is exactly correct. If you read the judgement it was not found nor even argued by the prosecution that Skelton should not have access to the data he illegally published.

  6. TwistedPsycho

    We are missing one important question...

    .... how did the criminal remove the data?

    Skelton was a senior auditor, according to the BBC article at the time of his sentencing, which would suggest to the outsider that the person has responsibilities beyond that of a standard office bod.

    If he was just able to post it to Dropbox then yes there might be a case, but if the company took reasonable steps then you won't stop someone who has a determined grudge.

    1. Gordon 10 Silver badge

      Re: We are missing one important question...

      I thought the whole point of vicariously liable meant that Morrisons were found not to have taken reasonable steps?

      1. Anonymous Coward
        Anonymous Coward

        Re: We are missing one important question...

        This is incorrect.

        If Morrisons had been at fault it would have been found to have been in breach of article 7 of the DPA which it was not. In addition, the judge gave Morrisons right of appeal without an application whereas the plaintiffs were denied the right of appeal on the finding that Morrisons was not at fault.

        If Morrisons had been at fault, it would have been liable as opposed to vicariously liable. This might seem like a narrow legal distinction but it isn't.

    2. Roland6 Silver badge

      Re: We are missing one important question...

      >If he was just able to post it to Dropbox then yes there might be a case,

      You only need a web browser with public internet access to achieve a file upload, so the question is whether it is reasonable to have a web browser installed on a company PC...

  7. Pedigree-Pete
    Meh

    The perp got 8 years...good...

    but we know who'll end up paying the fine and compensation, the customers and employees. PP

    1. The Nazz Silver badge

      Re: The perp got 8 years...good...

      That was 4 years ago (so the article says). With good behaviour he could be out by now.

      Would be amusing (well it is to me) if he were sat in the public area during the trial.

  8. adam payne Silver badge

    Four years ago a disgruntled Morrisons employee, Andrew Skelton, who had legitimate access to the company’s entire payroll, published its contents online using anonymising network Tor.

    It sounds like the controls in place at the time were insufficient to stop a person from copying the entire database. If the controls in place were insufficient to stop the theft then you are in some ways liable.

    What controls have been put in place since this happened?

    1. Andy Humphreys

      Yep I would agree with above. Why should Morrisons not have to take some responsibility for what I'm effect is a personal data breach that - with better controls - could have either been made much more difficult to achieve, or could have been detected much sooner, perhaps even thwarted?

      If this were a Financial Services Org, then excrement would be hitting the fan and sticking..

      There are plenty of technologies out there able to help lock down the use of Tor etc. and other DLP bits and pieces, not to mention logging, monitoring and alerting..

      I can't see much evidence that any of this was in effective use..

      1. Anonymous Coward
        Anonymous Coward

        @Andy Humphreys

        He used Tor on a corporate PC?!?

        Do you have any evidence of that?

        1. Anonymous Coward
          Anonymous Coward

          He did not. He used TOR on his personal computer.

          1. Andy Humphreys

            ...He used TOR on his personal computer.

            OK well I'm obviously not as close to it as you are, but fair enough on that point if that's the case.

            I'm still not so sure that's any better for Morrisons. He still managed to get the data out of Morrisons, and then onto/through his PC to send it through Tor. Still indicates a sub-standard control structure in my opinion..

    2. Anonymous Coward
      Anonymous Coward

      Funny that, while saying basically the same thing as TwistedPsycho above, he gets the upvotes and you get the downvotes...

  9. IWVC

    What are the legal requirements for data security

    I'm with Morrisons on this one - but there again it wasn't my data that was leaked.

    Not sure what the legislation requires but if there is an expectation that there must be some level of reasonable provision to prevent unauthorised theft then the legal debate should be interesting

  10. dnicholas Bronze badge

    Disgruntled employee... Cockwomble more like.

  11. Claptrap314 Silver badge

    "Industry Standard"

    The sad fact is, there are precious few companies that are not extremely vulnerable to this sort of thing. "Senior Auditor" is not a title you hand a green grad. Implementing controls to detect issues at this level is probably doable. Of course, whomever implements THOSE has the keys as well...

    I'm all for improving security at pretty much all levels, but at some point, you need to limit these claims to situations where the company in question is clearly lagging what most similar companies are doing.

  12. TechDrone

    I guess you could argue that nobody has any business running a ToR client on a PC in a supermarket, so blocking 9001/tcp outbound would have stopped that for the 2 minutes it would take to reconfigure ToR to use a different port. And you can't really block outbound 80/tcp or 443/tcp. And thats assuming the files were uploaded from within their network and not put onto some other media and uploaded from elsewhere.

    An awful lot of finance work consists - rightly or wrongly - of extracting data from one system and then loading it on to another, and I would expect an auditor to need the ability to do mass extracts to feed into audit tools which quite possibly sit on another machine.

    I can't help feeling that Morrisons are being blamed for being a victim. I guess the different between them and the ****** who did this, is Morrisons have more money. A lawyer friend once told me it's not about justice or right or wrong, but who you can most easily sue.

    1. Andy Humphreys

      ..in reply to Techdrone

      Preventing employees from being able to install the software in the first place would have been a better move. A content/category filtering proxy or firewall with TLS inspection, might help to discover and block traffic that did make it to the border. U/NBA devices might help to detect an anomoly.

      My point is that for an organisation the size of Morrisons, I should hope that they do have these sorts of measures and controls in place. I've seen organisations much smaller, who can achieve this, so why not them? Exfiltrations in the manner as you described, through 80/443 would be an absolute triviality without those proxy/FW measures. Finally, Insider accounts for around 75% of all data breaches. The controls absolutely have to take into priority those sorts of potential incidents, be they deliberate or accidental.

    2. alain williams Silver badge

      Quis auditdiet ipsos Auditores?

      I guess you could argue that nobody has any business running a ToR client on a PC in a supermarket, so blocking 9001/tcp outbound would have stopped that for the 2 minutes

      We are told that the data was uploaded via ToR but do not know if that is how the data was taken off the Morrison's servers. It could have been walked out of the building on a memory stick and uploaded via ToR at home or in a cyber-cafe.

      Since he was an auditor he could have asked for access to the backup system/media/... to check that it was being done properly or that it could be restored or ... or ... One of many reasons to get his hands on a copy - then swipe a copy in one of many innocuous ways.

      "Who audits the Auditors ?"

      1. Norman Nescio

        Re: Quis auditdiet ipsos Auditores?

        Generally, auditors do not work alone, for reasons that should be obvious, but it seems are not.

        Audit teams descend upon you partly because no single member should have access to data without someone else in the team of equal or greater authority signing off on that access. Usually, a senior (internal) auditor (which is what Andrew Skelton was) will be signing off on access by junior members of the team access/collect, and will be unlikely to be 'at the coal-face', as the senior auditor's actions will need to be signed-off by the Head of Internal Audit, or some similar entity.

        Now, if he instructs a junior member to grab a copy of the payroll database, he can't then sign off the access - that is an obvious deficient control. What happens is an Audit Plan is made in which taking a copy of the database is a part (but see later about normal practice), and it is signed-off by the Head of Internal Audit (or possibly another, independent, Senior Internal Auditor). He should not be able to waltz in on his own authority and grab a copy of whatever he likes. 'Fishing' expeditions are possible, but everything accessed or taken needs to be recorded and counter-signed, with the log audited by someone else. Audit is all about following a process in painful detail.

        External Auditors come and review Internal Audit's working practices every so often.

        Obviously, once a copy of data is (legitimately) on an Internal Audit's computer(s)*, you pretty much have to trust that it is not being misused - I would not be surprised to learn that in this case a Payroll Audit had just taken place, although I would understand normal practice would be not to take a copy of the payroll database, but to take a (sufficiently large to be representative) random sample of records to check for problems (for reasons that should be obvious).

        Being an internal auditor should not give you 'the keys to the kingdom'. It should give you monitored and audited access to a representative sample of parts of the kingdom, precisely to prevent a disgruntled auditor causing great damage - which is what happened in this case.

        I would expect one of the audit findings on the Payroll Audit would have been a deficiency in access controls, unless there was a Very Good Reason that the audit department needed a full copy of the database. Audits generally proceed on a representative sample of data.

        Audit departments have to be 'squeaky clean' with regard to their own process controls, as they are the ones telling the rest of the company what best practice should be. It doesn't mean you avoid all risk - but deficiencies need to be recorded and agreed as allowable by the board of directors who have the legal responsibility for the proper running of the company. There is nowhere to hide.

        Sorry if I've gone on a bit. My years in Internal Audit are coming back to haunt me and I'm getting flashbacks, even though I was never formally certified.

        NN

        *Computers used for data analysis by internal audit would generally not have Internet access, and follow the rule that client data can be imported or destroyed, but never exported. The only data that comes off those machines are the results, with the exception of secure backups, which are retained so that the audit can be reviewed, either by a separate internal audit team; or by the external auditors.

      2. EnviableOne Silver badge

        Re: Quis auditdiet ipsos Auditores?

        IIRC the data was removed from morrisions and uploaded from a personal machine.

        IMHO, Morrisons should be liable for not taking due care of the payroll data of its employees.

        Auditors should be able to see and verify, but not in any terms remove PII.

        If this was under GDPR, regs there would be no case as Both would be liable.

      3. Nick Ryan Silver badge

        Re: Quis auditdiet ipsos Auditores?

        I read it that he just got a copy of the data, in some form - it really didn't to be a native format, just an export, and took this offsite and uploaded it from a different system.

        It's a classic case of data security vs usability - the only truly secure data is data that nobody can ever access, which really means data that you do not hold. Beyond this it's a balance of security risk vs usability.

        This was data that had to be recorded, access to it was required and this access produced a certain level of risk. Morrison's responsibility is to reduce this risk to acceptable levels and beyond there is little more that they can do. Given that the previous case didn't highlight significant failures on Morrison's part it looks to be down to the individual in this case.

      4. Nick Ryan Silver badge
        Joke

        Re: Quis auditdiet ipsos Auditores?

        "Who audits the Auditors ?"

        The inquisition. Nobody expects them. Certainly not in Spain... :)

  13. Anonymous Coward
    Anonymous Coward

    For those against Morrisons

    Seriously, just how do you propose preventing HR employees of every company in the country from accessing personal records and copying and distributing them, if they want to, for some nefarious purpose?

    It's impossible.

    1. John Brown (no body) Silver badge

      Re: For those against Morrisons

      ...but you can have systems in place which record who access the data and what they accessed and maybe even flag up when one person access large amounts of data.

      1. Anonymous Coward
        Anonymous Coward

        Re: For those against Morrisons

        Not sure what your point is.

        For one - some people need access to large amounts of data and secondly, they've caught the guy and punished him.

        What does penalising Morrisons achieve, unless its just speed camera law, ie the more fines the better.

      2. Roland6 Silver badge

        Re: For those against Morrisons

        >...but you can have systems in place which record who access the data and what they accessed and maybe even flag up when one person access large amounts of data.

        Yes, however these systems don't stop one person accessing large amounts of data.

        Today I was on a client site, the FD was doing the payroll. For whatever reason, they had to take an extract from the DB and populate an Excel spreadsheet, which then got forwarded to the company that ran the payroll.

        So in your example system, it would have flagged that FD had accessed the data and even that they had accessed a large amount of data, only issue is their access was 100% legitimate. However, once the data had been extracted it would be out of sight of the data access monitor and thus copied without oversight.

  14. Markymark7345

    Data leak

    As an ex employed of Morrison's, yes all my personal details were uploaded. Within several hours by account had been breached with hundreds of data down loads which resulted in my bank closing down and freezing my accounts ultimately not enabling me to withdraw or pay outgoings for several days. My details as n.I number was posted and above all enough of my details were online for any person with a brain could obtain credit by fraud which in effect is what happened to myself . Morrison's were made aware of this at the time and did they compensate me? NO. Did they put food in my cupboard to feed my family when I had no access to my own fjnds ?NO. Did Morrison's help me in any way when this happened to me? NO.

    So ANY person posting comments to state Morrison's were not liable for whatever circumstance please consider this ... Did Morrison's get a conviction of the employee responsible? YES. Did Morrison's secure any means of financial compensation from that employee yes. So if Morrison's can obtain compensation from that employees breach as well as not give a TOSS about my loss as an employee at the time then why should I not pursue Morrison's for compensation just in the same way they pursued and gained compensation from skilton... What's good enough for one is good enough for the other. Regardless of what it cost Morrison's why should it have cost me and caused me and my family distress which Morrison's turned a blind eye to?? Morrison's are at fault should be found ultimately liable and pay for there employees distress and in some cases loss. Regardless of what technical legal arguments that is what about the average Joe a committed employee of the company that Morrison's simply did not give two hoots about? Because I'm telling you now this is Morrison's through and throgh.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020