back to article Morrisons is to blame for 100k payroll theft and leak, say 9,000 workers

"Cutting to the chase, it's not a case where the office cleaner finds a thumb drive, picks it up and takes the opportunity to make some use of it," barrister Jonathan Barnes told the Supreme Court as he urged judges to dismiss Morrisons' appeal against liability for its 2014 payroll data breach. As reported yesterday, …

  1. Pier Reviewer

    Not exactly rocket science this one. Morrison’s be screwed. Can’t blame them for arguing the case, but they won’t win it. Schedule 1 Data Protection Act 1998 provides :

    “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

    Appears the only reason he had the data was to pass it on to the external auditors. Should have been encrypted at rest so he could pass on the data, but couldn’t access it himself. Morrison’s failed to take appropriate measures. Yet another case of security controls being bypassed or not deployed because it makes life a bit more difficult. As a result control of 100k people’s data is lost.

    The only good news for Morrison’s is it pre-dates GDPR.

    1. lotus49

      This is legally and factually incorrect.

      The first judgement (which I have read and you clearly have not read) made it absolutely clear that Morrisons had not breached its responsibilities under the Data Protection Act. In addition, the matter was fully investigated by the ICO which took no enforcement action nor required any remediation.

      The issue is purely whether Morrisons is vicariously liable. Morrisons has been found not to be at fault and this verdict was not appealed.

      1. gnarlymarley Bronze badge

        The issue is purely whether Morrisons is vicariously liable.

        If it is true that Morrisons didn't take action back when it happened, then they can be held liable. As near as I can tell, he was disciplined by Morrisons, but remained an employee. This appears to be what the case is now about. Had Morrison terminated his employment with previous offenses, it could have been a different situation.

    2. Kientha

      Morrisons were following the guidelines they were told they had to implement by KPMG. The ICO said the only other thing they could have done was have tools in place that would have alerted them that Skelton had copied the data on to an unencrypted USB which, because of the job he held, would not have raised alarm bells quick enough to prevent the leakage of the data. Skelton's entire job was handling sensitive data. They did not do anything worth being fined for under DPA or GDPR

      1. Anonymous Coward
        Anonymous Coward

        So...person allowed to press button, yet probably shouldnt press it, presses button and people are surprised button is pressed?

        This is a constant problem, how do you prevent authorised people doing authorised things whilst simultaneously not doing so.

        USB port, meet hot glue gun!

        1. Roland6 Silver badge

          >USB port, meet hot glue gun!

          Only problem, person was authorised to copy data on to an encrypted USB stick - a task hindered by the glue...

    3. Captain Scarlet Silver badge
      Stop

      What would have encrypting the USB stick done?

      We have a policy here where every USB storage device has to be encrypted, if I know the encryption key I can decrypt on another machine.

      1. vtcodger Silver badge

        Perhaps ...

        I think what is being suggested is probably that the data should have been encrypted using a KPMG provided public key that Skelton couldn't use to decode the data. Perhaps.

        Who would be responsible for implementing such a process? Morrisons? The UK government? Skelton? KPMG? The EU? Maybe Joint and Several Liability applies here. There are some quite deep pockets amongst that lot.

        1. Anonymous Coward
          Anonymous Coward

          Re: Perhaps ...

          We don't know if the complete dataset was required to be handded to KPMG. As it states he was required to hold on to the data for a period of time in case there were other queries might suggest that it wasn't.

          Therefore KPMG might have been doing a spot test on a sample of data. He may have been in a position to provide the sample based upon their request. When we have auditors they never asked for every invoice, they ask for a sample of 50 that they choose from a list of invoices for instance.

          If you have handed the whole dataset over to KPMG you have made the information less secure by passing it to a third party without proper controls in place and with no knowledge of the people they have hired or have access to that data. If a KPMG employee had a grudge and uploaded it to a website then similar questions may have been asked of both Morrison's and KPMG - including why did you give them the whole dataset and not a subset?

  2. Danny 2 Silver badge

    It's almost as if IT staff should be properly paid, trained, funded, respected and listened to. And you know, or may not know, we actually are in most of Europe. Britain is an outlier for promoting wide-boy accountants over actual engineers.

    I'm having a bad day, I just learned my niece is going to become a lawyer. I had hopes for her. "An environmental lawyer"...aye, spin it how you want it. If Britain has a fault then it is not a lack of lawyers.

  3. sbt Silver badge
    Meh

    Resistance is futile

    I confess I'm a little bit sympathetic to Morrisons here; at some point you're obliged to trust your employees with access to information in order to get stuff done efficiently. Over the years I have had access to and been entrusted with massive quantities of PI and financial information, some quite sensitive, but I've never let any slip. In fact, pretty fanatical about not accessing it in the first place unless essential, and deleting early and often. Always encrypted at rest.

    Anyway, just on that Supreme Court badge in the photo; I've never seen it before, but couldn't help noticing the massive greek letter Omega in the mix. I guess it makes a change from all the latin mottoes these official things usually sport. Apparently it symbolises finality. Seems kind of ominous.

    1. Anonymous Coward
      Anonymous Coward

      Re: Resistance is futile

      Trust = I do not care enough to be certain

      1. lotus49

        Re: Resistance is futile

        Complete bollocks.

        Firstly, there is no way of knowing whether someone is trustworthy and secondly, the court did not find that Morrisons was either at fault nor was it found to have breached its DPA obligations, something with which the ICO concurred.

        1. Kientha

          Re: Resistance is futile

          Yep it was Skelton's job to send the financial data to KPMG. He had a business need to process that data. The process that KPMG told Morrisons to use involved putting that data on an encrypted USB. If they are held accountable for the actions of an employee breaking the law entirely out of a want to damage his employer for punishing him when he broke the rules, that has significant negative implications for all UK businesses and is giving Skelton exactly what he wants!

    2. AMBxx Silver badge

      Re: Resistance is futile

      It's the liability bit that's the problem. If he'd stolen money that was destined for the employee's salaries, Morrison's would have been to blame, but they would still have had to pay the salaries.

      1. Kientha

        Re: If only...

        And would have been able to attempt to reclaim that money from Skelton along with the costs of retrieving the money from him. Legally, the case is really interesting on the second element more than the first. If someone commits a criminal act that has a significant relation to their job role but is clearly not a function of their job, can their employer be held vicariously liable for that act? Does that count as the one continuous act required for vicarious liability?

  4. earl grey Silver badge
    Flame

    Time in chokey and a big fine

    Both parties at fault here. Resolution simple.

    1. lotus49

      Re: Time in chokey and a big fine

      Again, this is factually and legally incorrect. See my comment above. Morrisons was found not to be at fault in the first trial and this verdict was neither appealed nor over-turned.

      The finding of the first trial and appeal was that Morrisons was vicariously liable for the actions of its employee but was explicitly found not to be at fault.

  5. Venerable and Fragrant Wind of Change

    Verdict next year

    Isn't Lady Hale about to retire? If the verdict is next year, does that mean it'll be from one of her colleagues, perhaps without the spider?

  6. Danny 2 Silver badge

    How do you get two whales in a supermarket trolley?

    You take the S from Safe and the F from way.

    It's at least a decade since I told that joke here. Honestly, it was funny in the nineties.

    [Edit: So there was a pre-existing joke with the same setup but a different punchline. The first punchline was "Down the M5". A pun on "To Wales". I won't explain the second joke because you are all smart enough to figure it out. ]

    [Edit: To give youngsters a fair chance I should add that in the UK Morrisons used to be called Safeways. The past is a foreign country: they code things differently there.]

    1. Commswonk Silver badge

      I should add that in the UK Morrisons used to be called Safeways.

      Er.. not really. Morrisons goes back > 100 years and bought Safeways several years ago. Some Morrisons supermarkets used to be called Safeways would be correct.

      </pedant>

      1. lotus49

        This is correct. Morrisons bought the UK subsidiary of Safeway which was still trading under its own name in the US the last time I visited.

        1. paulf Silver badge
          Headmaster

          Again, not totally correct. The US subsidiary of Safeway was bought by Argyll foods in 1987 (Presto was their main chain - with advert jingle "You'll be impressed, in Presto"). Argyll eventually renamed itself Safeway PLC, and it was this that Morrisons offered to acquire in 2003 (completion about a year later).

    2. Kane Silver badge

      "How do you get two whales in a supermarket trolley?

      You take the S from Safe and the F from way."

      Nope. Still don't get it.

      1. Intractable Potsherd Silver badge

        Neither do I.

        1. paulf Silver badge
          Coat

          Coughs: "Take the F from way? But, there's no F in way!"

          Editors notes: "F in way" becomes a homonym for the phrasing "Effing Way" i.e. there's no fucking way [you could do that thing].

    3. Cuddles Silver badge

      "So there was a pre-existing joke with the same setup but a different punchline. The first punchline was "Down the M5". A pun on "To Wales"."

      You're going to struggle to get to Wales on the M5.

      1. Velv Silver badge
        Coat

        I always heard it (and it only really works when spoken) as:

        "How do you get two whales in a Mini?

        "Across the Severn Bridge"

        It's like Peter Kay's "I asked the Kebab Shop if they Deliver" and they said "no, just chicken or lamb"

  7. Aqua Marina

    Headline?

    Is Gareth Corfield working for the San Francisco office now because his choice of headline has put all of his future articles at the top of my "Do not bother to read, personal bias or click-bait headline here" list, up there with anything that has been written by the San Francisco guys for a couple of years now.

    When I saw the post in the news feed, I only saw part of the headline which made me think that the case had been decided against Morrisons, then I followed and read, and no such thing had happened. Come on Gareth, The Sun, The Daily Sport and most of the other red tops in the first decade of this century were doing what you've just done, deliberately craft your headline so that only the first part of it appears, and gives the impression that the complete opposite of reality occurred.

    I've said it before, but can we have a "Downvote this Author" option please.

    1. DreamEater

      Re: Headline?

      I agree, and because I read it all I felt invested so had to read the comments.

      Very click baity.

    2. gazthejourno (Written by Reg staff)

      Re: Headline?

      With 29 withdrawn comments I thought you might see better than to post this, but perhaps the 6 upvotes emboldened you.

      I have placed your commentard account on pre-moderate. We don't need clodhopping dullardry like this polluting the forums.

      If anyone else can explain to me why a straight headline summarising the legal arguments of the Morrisons claimants is "clickbait", do so.

      For all others who are too defective to read beyond the headline, feel free to go and read something more suited to your abilities and station in life. You will find Spot the Dog provides you with an adequate intellectual challenge and suitable dinner party discussion material for years to come.

      1. This post has been deleted by its author

    3. Velv Silver badge
      Childcatcher

      Re: Headline?

      "I've said it before, but can we have a "Downvote this Author" option please."

      There was previously a rating scale on articles. I think it got removed when Andrew Orlowski climbed the seniority tree as he regularly had low scores.

  8. user0

    its 2019

    Can anyone tell me the relevance of describing what Lady Hale is wearing before I lose my mind.

    It's 2019 FFS

    1. Intractable Potsherd Silver badge

      Re: its 2019

      Hear hear! It is completely irrelevant. What with the article about some bloke appearing in court "in a yellow shirt" recently, it seems the techie disinterest in clothes is being diluted.

    2. Velv Silver badge
      Headmaster

      Re: its 2019

      It makes no difference. It is entirely irrelevant.

      However if you put "Lady Hale" into search engines the first suggested words are "spider" and "broach", something Lady Hale is famous for displaying prominently when appearing.

      Lady Hale has long argued that the judiciary needed to become more diverse so that the public have greater confidence in judges. I think wearing spider broaches instead of silly wigs makes that point.

      1. LucreLout Silver badge

        Re: its 2019

        Lady Hale has long argued that the judiciary needed to become more diverse so that the public have greater confidence in judges. I think wearing spider broaches instead of silly wigs makes that point.

        I think the point would be better made having the senior judiciary made up partly of people attending Northern comps, or who had prior careers to solicitor/barrister. How that could be achieved I have no clue, but frankly, whether you wear a dress to work or not isn't really the kind of diversity that adds any value.

        The vast majority of the judiciary, and indeed the legal profession as a whole, is made up of the ineffectual middle classes who cannot comprehend the lives of an ordinary person raised on a council estate, or a factory worker, or other such person. The disconnect is what causes the problem, not the clothing.

        Normal working class people are simply not represented in public life - the labour front bench are all millionaires, many with tax efficient family trusts, expensive second homes, and whose idea of proper behavior is for Lady Nugee (Emily Thornberry) to take the piss out of a working class bloke who's put England flags on his van during the world cup. If Thorbers thinks that's acceptable from the self styled "party of the working classes" then who is supposed to represent them?

        Most people consider the purpose of the law and the criminal justice system is to provide them with justice for transgressions. Lawyers love of the law as a thing in its own right, quite separate from justice, compounds the problem. Taking shit away is the job of the toilet; most people are happy with that without marveling at the toilet itself.

        The whole thing is rotten to the core, and that, that is why most of the public have less than zero confidence in the judiciary, the law, or the people who make them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019