Insider attack serves as timely reminder that retailers need to take security of all sensitive enterprise data more seriously according to IT industry experts
Morrisons confirmed today it suffered a major security breach involving staff payroll data in the same week that it also issued a huge profit warning.
The fourth largest UK supermarket said it found out last Thursday that details stolen from its staff payroll system, which included bank details, had been published online and sent to a UK newspaper.
Last Friday the company warned
it was likely to deliver only a third of profits for the year originally forecast. And now it is urgently reviewing its data security safeguards.
It said the employee data was taken down from the site and stressed it had not fallen victim to any external cyber attack, suggesting the source of the breach was internal.
No evidence of an external breach
In a statement, Morrisons said: “Initial investigations suggest that this theft was not the result of an external penetration of our systems.”
It added that Dalton Philips, Morrisons chief executive, was leading cooperation with police and cyber crime experts to identify the source, while adding: “We can confirm there has been no loss of customer data and no colleague will be left financially disadvantaged.”
Headquartered in Bradford, the supermarket’s data was sent to local newspaper, The Bradford Telegraph & Argus, which said it received a CD-ROM containing salary and bank information of some 100,000 staff, including company directors.
Industry experts agreed that the breach serves as a timely reminder to all retailers to secure both their internal as well as customer-facing systems that handle sensitive data.
Guarding against internal threat
Paul Kenyon, co-founder and executive vice president of global sales at Windows rights management systems provider Avecto, commented that organisations can invest a huge amount protecting their networks and data from outside attacks, but that those defences mean little against a rogue employee with an agenda, or even an unintentional error.
He said: “It's difficult to defend against the insider threat but there are steps that can be taken. Limiting the number of administrative accounts and controlling access efficiently can go a long way to minimising the risk.”
And he added: “We should give Morrisons credit as it has done all the right things in the aftermath. It reported the theft to the authorities, urgently reviewed its internal security measures and ensured its response is being led right from the top of the company.”
Strengthening internal defences
But Tim 'TK' Keanini, chief technology officer for network security, performance and application monitoring system provider Lancope
, said: “When you look at this event and you ask yourself, is this what good incident response looks like? I’d give them a B-minus in my book.
“They are working with law enforcement, they are communicating with the victims, but the lower grade in my book is the fact that they probably did not have the advance telemetry installed prior to the event to aid in the forensic investigation.
"Particularly if this was insider threat, security tools like firewalls and IDSs [intrusion detection systems] don’t alarm because the attackers are using valid accounts to move around your network.”
George Anderson, director of product marketing at anti-spyware, malware and virus protection systems provider Webroot
, said: “It highlights how easy it can be for sensitive data to be abused and fall into the wrong hands, even if those are a disgruntled employees’ hands rather than hackers’. It also underlines the importance of having the right confidentiality, integrity and access data security policies in place.”
Anderson added that a well-developed and executed data security policy should be able to protect against all sorts of breaches, including internal ones.
Layered security approach
“It should encompass everything from identity protection and strong authentication like passwords, PIN and biometrics, to data encryption, which ensures even compromised information can only be used by those with the necessary deciphering encryption keys and permissions,” he advised.
Darren Anstee, solutions architect global team manager at distributed denial of service (DDoS) attack protection, and network security and visibility systems provider Arbor Networks
, added that Morrisons must now be seen to take swift and effective action to avoid further reputational damage.
“How Morrisons is perceived to deal with this incident is key, and will likely directly affect its reputation with both employees and the general public,” Anstee concluded.