Morrisons' massive 2014 payroll breach the result of employee's bizarre grudge

Morrisonshq
Image: Morrisons

Employee Andrew Skelton allegedly posted entire 100,000 payroll database

Share

The Morrisons employee accused of stealing and emailing the company’s entire 100,000 payroll database to journalists in 2014 did so because he bore a grudge over an unusual disciplinary misunderstanding.

According to the prosecution representing Morrisons at the Bradford Crown Court trial, 43 year-old Andrew Skelton decided to publish the database containing employee names, addresses, bank account numbers and national insurance numbers, in revenge for being incorrectly disciplined for receiving packages at the company’s head office in Bradford.

Morrisons initially believed that one package contained drugs but it transpired that Skelton was using the mailroom for to buy and sell goods on eBay.

The firm said it believed that this lay at the root of his decision to leak data that had it fallen into the wrong hands would have constituted one of the most serious data breaches in British corporate history.

The data was briefly posted on a website and sent to journalists of several newspapers, who alerted police and the company to the breach, resulting in Skelton's quick arrest.

Skelton also write a resignation letter in the days before the incident in March 2014. “I have almost as little concern for the company as it does for me,” he is alleged to have written.

A study in 2010 found that worries over data breaches from employees was exaggerated although when incidents did occur they tended to be noteworthy. In the past, incidents often focussed on network sabotage rather than data theft.

The Morrisons case does beg some questions about the company’s security policies. Skelton worked as an IT auditor and so had access to the sensitive data but how was he able to steal the entire employee database without this being detected? As the case progresses, more detail of how he bypassed security may be revealed.

The prosecution has also claimed that the disciplinary incident lay at the root of Skelton's alleged actions but has so far not explained why he would have carried out such a hugely damaging act for a relatively reprimand that had been withdrawn. 

Morrisons claims that investigating and remediating the theft cost it £2 million ($3.1 million).

"With Morrisons' estimated £2 million bill to fix this data breach, this particular clean-up will be significantly more expensive than a spillage in aisle four,” commented EMEA sales vice president for cloud security firm Netskope, Eduard Meelhuysen.

"These findings show that companies must monitor apps in use by employees and coach them towards approved solutions, as well as setting policy to prevent the upload of sensitive information which could result in a costly data breach."

Find your next job with computerworld UK jobs