06 Dec WM Morrisons first class-action lawsuit of its kind represents a sea change for mishandling of data
The recent landmark verdict from the WM Morrisons trial — whereby former employees sued the supermarket chain for mishandling their payroll information, which was purposefully leaked online by a disgruntled worker — should serve as a wake-up call for companies of all shapes and sizes (‘Morrisons faces payout over leak of staff pay data‘, December 1). Much more needs to be done to protect data across the organisation; all too often, companies focus their cyber investment on external threats, when instead they should concentrate on what lurks within.
WM Morrison will now have to pay compensation to thousands of staff after a judge ruled that the company was “vicariously liable” for the actions of the irked employee that stole the salary and bank details of colleagues. This represents a sea change in how these cases are dealt with, as it is the first class-action lawsuit of its kind. Allthough Morrisons is now disputing the verdict, this undoubtedly sets a precedent for businesses who hold data on their staff, the issue may stem from an individual, but the repercussions can now be severe and company-wide. As such, it’s never been more vital for organisations to lock down their data and hunt threats in a truly proactive manner, rather than waiting for an attack to happen and then scrambling to remediate it.
It may be a term that evokes cloak and dagger espionage, but ‘insider threats’ covers a plethora of internal vulnerabilities. It could be that someone in a call centre takes pity on an individual who claims they can’t remember their banking password and gives them a few helpful hints, or it could be someone ringing up pretending to be from tech support in order gain sensitive administrative login details. Either way, the repercussions are monumental for businesses. They need insight into how data traverses the network and to be in a strong defensive that actively protects all stakeholders from suspicious activity.
This case is proof that, regardless of whether malicious or accidental, the insider threat is a very real and present danger to both data and a company’s finances. To think otherwise is grossly misguided.