UK: Morrisons supermarket suffers major payroll data breach (Updated)

John E. Dunn reports:

British supermarket Morrisons has reportedly suffered a major data breach which saw the pay-roll data of an unknown number of its 100,000 staff stolen and published on a website.

In an email sent to staff and later seen by TV media, the attack was said to have involved the theft of names, addresses and bank account details of workers “from all levels of the organisation.”

Morrisons became aware of the posting of the data on a website – since taken down – only last night, the email said.

Read more on TechWorld.

City A.M. reports the firm has issued a statement on Facebook:

We are extremely sorry to inform you that there has been a theft of colleagues’ personal information, which was uploaded onto a website. As soon as we became aware of this last night we took immediate steps to ensure the data was removed from the website. It was closed down within hours of us being notified.

– This was an illegal theft of data.

– It can no longer be accessed on the website.

– We are liaising with the police and highest level of cyber crime authorities.

The information included names, addresses and bank account details of colleagues. This affects colleagues from all levels of the organisation.

Our immediate priority is the security of your financial information. We are currently working with Experian and the major banks to ensure that we provide full support and assistance to all affected colleagues. This will include support and advice around protection of your bank account.

We recognise that you may have questions and we are setting up a helpline. We will update you later today.

We have already set up a dedicated e-mail address for you to send any questions which is[email protected]
We are taking this extremely seriously. Dalton Philips is leading the response.

We are very sorry that this has happened. We will ensure that no colleague will be left financially disadvantaged as a result of this theft.

Update: Although TechWorld’s headline announced this as an insider attack, I don’t see where there’s evidence that this was an insider breach – at least, not yet.

Update 2: Ah, here we go. Reuters reports:

Morrisons ensured the data was taken off the website and said it did not believe it had been the victim of an external cyber attack, implying the data was likely leaked by an employee.

“Initial investigations suggest that this theft was not the result of an external penetration of our systems. We can confirm there has been no loss of customer data and no colleague will be left financially disadvantaged,” it said, adding it was working with the police and cyber crime authorities to identify the source of the theft.

About the author: Dissent