Depends if decent efforts at data security made by Morrisons
It's all about taking reasonable steps to keep data secure
Big red flag that auditor could plug in a USB stick and copy data, external device use would be expected to be locked down & with sensitive data a mechanism in place to verify valid reason to copy that data.
Just like my house insurance, if I go out and leave house door unlocked, if I am burgled whilst away my insurance will not cover the loss as I did not take reasonable security measures.
So if Morrisons were lax on security procedures, then some of the responsibility must lie with them. Just about any company with a security clue routinely locks down USB stick (& similar) access without having to jump through a lot of hoops, as a matter of basic security on all machines (never mind machines with access to sensitive stuff)