"This was an illegal theft of data"
Rather than a legal theft of data?
Morrisons' checkout and shelf-stacking staff across the UK will be anxiously worried about their bank accounts this morning, after the supermaket admitted that thieves had spaffed employee payroll details online. The grocer said on its Facebook page that it had notified all its workers that their personal information had been …
This post has been deleted by its author
Anyone have any idea if the employee information was obfuscated in any way or if the hackers found it available in plain text?
Morrisons could be open to legal action from every employee who had his/her info stolen if no security measures had been taken with the data. 100,000 is rather a large number after all.
Anyone have any idea if the employee information was obfuscated in any way or if the hackers found it available in plain text?
Well, Alexandra from HR will be royally pissed if she's unable to handle employee data because they were "obfuscated in any way".
Most data stores are not improved by hashing or obfuscating them.
> Most data stores are not improved by hashing or obfuscating them.
I know PCI-DSS is hard and expensive, but that doesn't mean you can't learn from how we deal with it. Tokenise the data and only get it out of the vault when you absolutely have to. In the meantime, encrypt in transit and encrypt at rest, so even the IT bods with a debugger and a copy of the data store can't see more than what is currently being processed.
A supermarket *can* afford that.
... and finally, surely this was infringement, not theft...
> any idea if the employee information was obfuscated in any way or if the hackers found it available in plain text?
> Morrisons could be open to legal action
Can you offer a justification as to the legal basis for that? As far as I'm aware, nothing in English law explicitly requires "obfuscation" of personal data in this case.
@Amiga500: "There is no mention of WIPRO suppling the payroll data, where did you read that?"
It's in the linked to PDF document ..
link: "WIPRO enabled Morrisons' £30 million business transformation - one of the largest in the world - and helped realize savings in the tune of £7 milliion."
I remember a few years ago working for a medium sized nation high street retail outlet, after questioning some staff payroll issues I was forwarded a database of every member of staffs payroll information in the whole company, CEO and down, gross salary, perks, bonuses, the lot for a whole year. I did the responsible thing but its so easy for this to happen innocently so long as the workers are not aware of the risks of the data they are playing with, never mind actual theft!
Interestingly, after I had a good look at the whole company structure I was appalled at the pay differences on contractual gross pay alone, even in the top 2/3 tiers, the drop down to the next tier of management was staggering, in the order of a tenth! things dropped in a standard fashion down to regional managers there after and finally the drop to store management was another shocker. Normal store workers and many at HO/DC accounting for the vast majority of staff was of course all minimum wage.
I guess I hadn't realised that even in HO, the pay wasn't that great and even more senior management at HO were getting a fraction of the top 2 or 3 tiers
IMHO the secrecy regarding pay differentials is one of the reasons why the high ups in companies earn so much more than the worker bees. There are right ways and wrong ways about publicising what goes on at particular companies. If the intention was just to publicise the pay rates for different jobs, what has happened at Morrisons is most definitely the wrong way.
As a general point , if we don't talk about what different jobs pay, we will never address what I perceive to be the growing wage inequality in British companies. Useful information about payroll costs and pay differentials isn't always published in annual reports. Of course, us proles could all just keep quiet about it, but I wager the people in charge of setting pay do talk to each other. The wage fixing investigations in Silicon Valley over in the US have shown us it does go on.
Responsible thing ? What's that ?
1) Keep quiet
2) Discreetly tell store union reps if any, possibly get fired.
3) Discreetly tell trade journalists, maybe get fired
4) Indiscreetly tell employees, watch the revolution begin
5) Anonynmously post it on an internet forum
6) Raise your concerns with upper management, get fired
The Reg really needs a multiple choice vote button.
Absolutely :) But it was handed over and not a word mentioned, lets be honest here, we can all sit here and say we wouldn't do it, but id hazard a guess and say most of us would take a wee peek.
But given that you or anyone else here doesn't have any idea who I am, and even if they did couldn't pin it down to a company within my vast number of years ive been working, I think its safe to say no one will be the wiser what that information was
IBM did a series of adverts some years back - a title, a sort scene, then the IBM boop-do-be-doop jingle and logo.
The one they did called "Hackers" featured two people looking at a company's payroll information and remarking "wow - that guy earns twice as much as that guy. I bet he doesn't know". To which the other replies: "he does now - I just emailed it to the whole company".
It's not for nothing that IBM picked that particular scenario to scare corporate viewers.
The way to fix staff payroll data theft is fire anyone whose data gets stolen, as long as they are just someone who works there and not important to the company. This is because data theft is against the Company Policy and if a worker's data is stolen it must be their fault because it was their data. Then they are no longer an employee so no laws about employee data security have been broken.
Anyone who complains about this rule also gets fired. Anyone who makes fun of this rule is also fired, unless they are the boss telling a joke in a meeting, in which case everyone who doesn't laugh is fired, unless this was actually a company loyalty test, then random people are fired (for laughing, or not). Everyone taking legal action against the company is fired, not in retaliation, but because if they are talking to lawyers they are not at work, working. Everyone consulting with a lawyer is fired, since the company is paying them and it is against the rules to spend company money on lawyers that don't work for the company.
Everyone in IT is fired. There will be no more IT. IT will be run by one guy from payroll who knows Office and once upgraded Windows on his home computer. If he doesn't work overtime for no extra pay he will be fired.
I've worked for this outfit for far too long, and to be honest, I'm surprised it's taken this long for this sort of thing to happen.
But then, they have blamed the recent losses, at least in part, on the recent IT upgrades they have done - they have brought a brand new ordering system in to stores (among other things), it cost at least 8 (possibly 9) digits to bring about, and it is universally despised by every member of staff who comes in to contact with it.
The most laughable thing is the mid-range 11 inch Windows7 tablets we have to use - they run nothing but a Chrome webapp, and are far over-powered for what they are used for, but they rarely if ever work properly - we have 6 in store, 2 refuse to boot and another has a touchscreen that only works on random spots.
I reckon they could have picked up a bunch of 50 Android tabs from Amazon, locked them down, and had them running better for the job than the POS we've ended up with which cost well over a grand a piece.
So yeah, its no surprise that security in the IT department is so lax that payroll details have been leaked - oh, and that whole "We've informed our staff about this" thing - an A4 piece of paper was put on the staff notice board that no-one actually pays any attention to - that is the only official word we have had on the matter.
Posting anon, for obvious reasons.
Isn't it fairly general that the big software packages used by big organisations are complete rubbish?
We had an accounting software package at my work (before retirement) that handled everything - stores, spares, timesheets, scheduling etc. It was produced by a large American company (three letter abbreviation but not IBM) and seemed to be used by many other large organisations. It was universally hated and very awkward to use. I used to wonder if the people at the top ever had to use it because I could not imagine them being able to drive it.
Why do companies, and it seems to be mainly supermarkets, insist on using the word "colleague" when they mean "employee"?
There's a sign at the local Asda, along the lines of "Don't reach up to this high shelf, ask a colleague for assistance". Well I would, but none of my colleagues are here shopping with me. I think what they mean is "ask an employee" or "ask an assistant".
Is it some sort of politically correct newspeak designed to make employees feel in some way valued or empowered, by not calling them employees? In the same way the people who empty your bins are apparently "operatives"?
A semi-relative spent the summer uni-vacations working at a local store as a member of their "Out-of-Hours Ambient Replenishment team" - better known as a night-time shelf-stacker in the tinned/dried food aisles..
[Seems that in the world of food "ambient" is used as the opposite of chilled or refrigerated].
Sometimes people try to dress up a poor job with a fancy title. I bumped into an old friend a while back and I asked them what they were doing now. They said they were an Information Engineer. I was a little surprised because I know what a real Information Engineer is and this person had never when I knew them shown leanings toward anything remotely sophisticated.
Turns out they put content on a website.
A small website.
Using Ctrl-C and Ctrl-V mostly.
Is it some sort of politically correct newspeak?
yes, but it's more than that: there are people in those supermarket chains (way higher that the shop-level staff) who sound like they genuinely believe that the word "colleague" is used in earnest and signifies how much their company values their work. Correction: contribution to the well-being and (always) growth of the company.
Not sure what details are there in the database, but why necessarily would the employees be worried about their bank accounts?
"will be anxiously worried about their bank accounts this morning, after the supermaket admitted that thieves had spaffed employee payroll details online."
Typically knowing someone's name and bank account details allows you to make a transfer TO them. If I want to TAKE money from the account, I need to have one of:
- a bank card link to the account + know the PIN (to make ATM withdrawal)
- some sort of one-time-key security dongle + knowledge of a PIN or password (online banking)
- a photo ID having my photo plus name on the account, plus many times also teh physical bank card (to make an in-person withdrawal at the bank)
Of course that's assuming the banks have good security procedures in place...
Oh FFS stop it.
If an unauthorised DD comes out of your account just ring your bank and tell them, the money is instantly recalled and the DD cancelled with no damage done, used it many times when "administrative errors" result in my monthly bills getting FUBARed by various companies.
Wot you like hanging on the line to explain to the call center people that it wasn't you?
It is something you shouldn't have to do ever.
something similar happened the wife. The withdrawl went over a limit the account got blocked so call center people couldn't even see anything on their screens. Branch phone nymber diverts you to said call center. Seeing as we weren't in the uk at that time it was a royal pain. Withdrawl wasn't to a charity/utility either.
This attitude, prevalent in Britain, has always amused me somewhat. This is a nation who think giving out your bank account number is dangerous but insist on using cheques. They think ID cards are dangerous but proving your identity with a gas bill is fine.
Brits are very resistant to any kind of change, so they bring out some well publicized case while ignoring the fact that the old system is clearly broken.
It's one of the many endearing idiosyncracies about the UK, along with other band-aid solutions like hot water bottles, carpets and thick curtains. The rest of us build our homes warm and draft free.
But I love Brits and the UK to bits. The Shire wouldn't be the same if hobbits lived any other way.
'worried?
Not sure what details are there in the database, but why necessarily would the employees be worried about their bank accounts?
"will be anxiously worried about their bank accounts this morning, after the supermaket admitted that thieves had spaffed employee payroll details online."
Typically knowing someone's name and bank account details allows you to make a transfer TO them. If I want to TAKE money from the account, I need to have one of:
- a bank card link to the account + know the PIN (to make ATM withdrawal)
- some sort of one-time-key security dongle + knowledge of a PIN or password (online banking)
- a photo ID having my photo plus name on the account, plus many times also teh physical bank card (to make an in-person withdrawal at the bank)
Of course that's assuming the banks have good security procedures in place...'
Like the fuss someone will make about giving their bank account number online yet will send a cheque by mail to a complete stranger and what does the cheque have printed on it ............
This appears to have been a theft of data not a hack.
Someone needs access to payroll data in an organisation and if those people decide to steal it, it can be very difficult to prevent them from doing so. I know we all love to jump to conclusions but I haven't seen anything to suggest that this isn't the sort of attack that almost any organisation might fall victim to.
Doesn't matter if it was theft or hack, were sufficient measures put in place to attempt to prevent the loss of the data?
Since >80% of data loss incidents occur from inside, that is where the focus of protection should be.
It's hard to restrict the DBA of the HR system from accessing the data, but you wouldn't expect the web admin to have access. Edward Snowdon demonstrates that you can never prevent every loss, but only the ICO report will reveal if this was a leak through bad controls as well as bad people.
Monsieur Besancenot, please go!
Some have pointed out that the article doesn't say it was external crackers, and so it might be an inside job. While possibly the case, if you had access as an insider, why would you post all the details online? Morrisons will obviously call in experts (and police as they've said), so I'd worry about being caught, and surely the consequences of this would far outweigh the lolz gained? The perp also sent it to a newspaper, increasing the avenues for investigation.
Ok.. so any money on who got the word first in order to get the bank to change their account number? Either the CEO or the junior stock person in the warehouse? And I'd lay odds that every senior staff member disappeared to their bank as soon as they were told and didn't have wait until the end of their shift like everyone else.
The banks should allow you to set up "aliases" for your bank account. They generate a new account number that is linked to your main bank account and then you give that account number to your employer or whoever needs to transfer money into your account. Make the account only available for inwards funds transfer, so that if the account details are stolen, they're of precious little use to anyone. (sort of like how you can get disposable, pre-pay credit card numbers)
At a stroke, this would solve the problem that these data breaches cause. They should also extend the "alias" idea so that you could set up separate payment accounts that you use for different recurring bills.
It seems simple and effective, but am I missing some obvious gotcha?
Citibank send me my credit card statement with card number helpfully obfuscated like:
1234-4567-89XX-XXX
However, helpfully printed on the bottom of the statement, on the 'do not write here' return slip it has the full card number in clear text.
So what could possibly go wrong with your great idea?
This post has been deleted by its author
They use the fact that the firm is a "family run business" as an introduction to their agencies' induction process. Some of the videos shown at the induction indicate the family is a bunch of cut throats but oddly that doen't put anyone off. Being unemployed trumps frightened rabbit every time.
The agency(s?) steal potential money from potential employees before said potential employee even gets a job. It is all to do with the forms you fill in and the permissions you have to give. Thay are just like the formsyou fill in online when you join MSN Groups and end up agreeing top all the spam hell can send you.
They use agencies to employ temproray staaff so that they can be let go without any comebacks. At the interview, the hopeful are ordered to give details of their accounts "for payments to be made" when eventually employed.
The details are then used to access the account and take out a small amount regularly. Most people notice and stop it but a lot -enough, don't see it until too late.
Does anyone know if the data was only current employees?
Morrisons made a lot of people redundant ~6 months back. It is unlikely that Morrisons will be contacting their ex-employees to say "sorry but we still have your financial info on our systems and now its been stolen".
Enquiring ex-employees need to know if they are at risk.