By Brian Cowan
Back in 2014 the Supermarket chain Morrisons had the records of 100,000 staff stolen by an employee. This personal data was later published on the internet. In 2015, the culprit who was working for them as an auditor was jailed.
Data theft – at what cost?
For the thief the cost is eight years imprisonment and a £170,000 fine to be paid to Morrisons. As his motivation was apparently revenge and there was no obvious financial gain this has been an expensive exercise for him. Data theft has definitely proven costly and his next personal audit will not be enjoyable.
For the Supermarket chain the cost could be much higher as more than 5,000 of its staff have launched a legal case for compensation from the company. The employees claim addresses the loss of personal data, risk of identity theft, risk of financial loss and general distress caused by the breach. For them, the data theft could prove very expensive.
If this was post May 2018 and GDPR?
I am including this section to illustrate how EU GDPR could affect corporate risk . It does not reflect the situation at Morrisons today, nor is it intended to add to the media frenzy around GDPR fines. However, in a very imperfect world where GDPR requirements had been ignored, breach reporting neglected and a 4% fine levied…based on reported turnover in January 2017 of £16.3bn, at 4% this would have been a fine of £652m. With pre-tax profits of £325m for the year, the business impact is obvious. Whilst the ICO have stated that GDPR implementation is not a revenue raising exercise, the threat is there for those who do not act.
Could this data theft have been prevented?
Probably not. The perpetrator had access to the data to do his job and so could extract it easily. Security audits may have flagged something awry but in all likelihood the damage would have been done. The company has prosecuted him and the courts have imposed a strong penalty, both on his liberty and finances. The full financial impact on the company will be determined in the courts.
What can we learn from this data theft?
Firstly, data loss can be expensive for all parties concerned. Where possible, data access should be restricted to authorised users only. Audit mechanisms should be put in place to track access and usage. Monitoring toolkits are available that can track data access and usage, such as those from Varonis and STEALTHbits. These tools provide visibility to Management of how data is being used, whilst also keeping the infrastructure security in view. Active Directory should always be kept clean and up to date for both security and efficiency, both vendors have advanced capabilities in these areas.
GDPR when implemented can represent a heavy financial risk to non-compliant organisations. There is no “blue-print” for compliance but it is important that organisations address the requirements and implement steps to demonstrate good data management processes. The regulation is intended to improve the management of personal information and is likely to become part of the qualification process in supply chains. Further information on planning for GDPR can be found by clicking on the first image below: