Posted on 28.10.15 by Christian Mancier
In the week where the data breach at TalkTalk has dominated the front pages, today sees the news that more than 2,000 current and ex-employees of Morrisons are set to sue the company after a huge internal breach of security.
In March last year, a bitter senior employee Andrew Skelton leaked personal data on almost 100,000 staff online and to various newspapers. The breach included extremely sensitive data, such as salaries, bank account details, dates of birth and national insurance numbers. Since the breach in 2014 Mr Skelton has been jailed for 8 years for fraud for abuse of position, securing unauthorised access to computer material and disclosing personal data.
Now, over 2,000 current and former staff members are pursuing a group claim against the employer, insisting that Morrisons were the ones ultimately responsible for the privacy and data protection breach. It’s thought that Mr Skelton copied the data onto a portable storage device whilst at the Morrisons’ headquarters in Bradford.
With so much personal data released the staff affected have been put at the very real risk of financial loss and identity theft. Morrisons are contesting the case insisting that they are not liable for the actions of one rogue employee. They have already spent more than £2 million to rectify the situation.
Where an employer such as Morrisons is given personal details relating to their employees, they have a duty under the Data Protection Act to protect that data. Where an individual has suffered some form of loss as a result of a Data Protection breach then they have the ability to pursue a civil claim against the Data Controller (i.e. Morrisons in this case) and this claim can include compensation for distress suffered as a result of the breach.
The question will be asked how Andrew Skelton managed to get access to salaries, bank account details, dates of birth and national insurance numbers of over 100,000 employees, download this data and then post it online and why there were not sufficient safeguards in place restricting access to this information to a handful of employees on a “need to know” basis or, at the very least, why there were no safeguards to prevent this information from being downloaded.
This case highlights that any organisation is vulnerable to a rogue employee, however, with sufficient procedures and safeguards put in place accompanied by staff training on data protection compliance, this risk can be reduced down considerably. Whilst this invariable involves a cost and staff time, the cost and staff time is a drop in the ocean compared to the consequences of a data breach and the associated bad publicity and damage to an organisation’s goodwill – as Morrisons are finding out the hard way.
If you have been the victim of a personal or sensitive data breach then contact our experienced and knowledge team today to find out if we can provide assistance.
Phone: 0161 930 5151.