When thousands of your employees sue you, it suggests you’ve done something pretty bad. Yet it’s happening to Morrisons right now. And it hasn’t.
The back story is this: a former employee called Andrew Skelton, a 43-year old bespectacled senior internal auditor at the supermarket, got a slap on the wrist for using the Morrisons post room to post his eBay stuff. He deserved a warning and he got one. That should have been that.
But Skelton, blessed with the criminal mind that failed to pull off an eBay scam on a post room, decided to up the stakes and wreak revenge on the employer who stopped him stealing from them.
His masterplan was to use his position to access the personal details of 100,000 Morrisons staff, like salaries, national insurance numbers, dates of birth and bank account numbers. Then he leaked them online, where they joined thousands of other sets of data that can be snapped up for £20 deep in the murky depths of the Dark Web.
In July, Skelton got banged up for eight years, which suggests he’s not really cut out for this kind of thing. He should probably have channelled his anger into looking for another job. But Morrisons has also paid a hefty penalty.
The episode cost it £2m on various fees and costs to safeguard employees. And today it told The Grocer it had paid out an additional £200,000 so employees were not worse off as a result of Skelton’s actions, such as covering the costs of changing bank accounts.
But perhaps the biggest insult of the whole tawdry affair is the news that more than 2,000 current and former employees are gathering to sue Morrisons over the data breach.
With sales continuing to fall and Christmas on the way, it is a distraction the supermarket doesn’t need. And the fact this attack comes from within must be especially galling. A bewildered Sir Ken must be shaking his head at this atrocious lack of loyalty. I imagine he’d gladly shell out £20 to get their phone numbers and give them all a piece of his mind, only – and I’m going out on a limb here – Sir Ken might not be wholly familiar with firing up his Tor browser and bouncing his IP address through several layers of encryption to do it.
And without underplaying the significance of such a leak – it’s potentially very inconvenient indeed for those affected – according to Morrisons nobody has “suffered any financial loss from this breach”.
Some will say that’s not the point and it should never have happened in the first place. Especially if they are lawyers like JMW Solicitors who are busily rounding disgruntled chancers up to lend weight to their case. And sure, we’d all like to think our data is safe.
But Morrisons is by no means alone in its vulnerability to anyone determined to hack it. We are all vulnerable if anyone wants to hack us. A 15-year old boy brought Talk Talk, a £2.4bn company, almost to its knees this week. The next day, M&S suffered a security lapse and suspended its website. And of course such systemic failures are regrettable.
Yet for Morrisons at least, this was the failure of a single trusted employee with access to sensitive information who committed a bitter, malicious act by leaking the data online. And, rightly, Morrisons will contest the action. “We are not accepting liability for the actions of a rogue individual,” it says.
In this instance at least, that feels like the right attitude to take.
No comments yet