Morrisons Breach Update

After the alleged Morrisons Breach last year, sensibility has prevailed. As a CISO and as a business owner, I thought it crazy to prosecuted a company for the criminal actions of an individual seeking to harm the business.

The UK’s highest court ruled that Morrisons can not be liable for a criminal act of a person seeking to harm their business. On April 1st, 2020, a panel of five justices unanimously ruled that Morrisons was not “vicariously liable”.

Morrisons Breach, what happened?

If you are not familiar with the Morrisons Breach story, an IT administrator within Morrisons had a grudge with the business and decided to, using their elevated privileges, access the HR system and leak the payroll of around 100,000 members of staff. The incident happed after the IT administrator received an HR warning for their actions. 

The Register has a good article on the original breach here.

Could IT have been prevented?

Businesses biggest asset is their people. Encouraging a culture of discussion of unusual behaviour without fear of retaliation is a good start. Background checks, monitoring and spot checks are all permissible in the UK when there is transparency and employees are informed. Making routine background checks a part of the HR process for role changes and promotions should be part of business life.

Treat your staff well and do not just monitor them at the outset. Many of these cases start with a disgruntled employee. Businesses can use “speak-up” initiatives to allow staff to raise grievances both formally and informally.

From a technical aspect, there are controls to implement. It is a case of looking at the dataflow and identifying the right tool for each step. Looking back at this case, we have a series of steps:

  1. Access to the HR System
  2. Aggregation of information
  3. Transmission of information

Access Controls

The easiest of the controls to address is the access controls. IT administrators need to be able to control systems, but there should always be a log. The log should detail the following:

  1. Who accessed the system;
  2. What time and date; and
  3. Activities performed;

These logs should be reviewed every week by the department head.

While discussing logs and log data, shared users accounts must be forbidden. All administrators should access systems using their account and use their elevated privileges via admin or sudo functions.

Aggregation of Information

Endpoint monitoring solutions such as Data Loss Prevention* tools will identify when information is aggregated and disseminated. 

Transmission of Information

Mobile media controls will further enhance this, preventing the movement of aggregated information to external media. Data Loss Prevention tools will identify the transfer of aggregated information via email or copying to the internet.


Can we help?

If you have any questions or would like to know more about how Hedgehog can help you and your business, please use the contact form below or any of the various ways on our site to get in touch.

[caldera_form id=”CF5e7f1635294b3″]