back to article Morrisons supermarket: We're taking payroll leak liability fight to UK Supreme Court

Morrisons has vowed to take its hack liability fight to the UK Supreme Court after failing to convince Court of Appeal judges it should not be held responsible for the actions of a rogue employee who leaked the supermarket's entire payroll via Tor. The under-fire chain is battling a class action lawsuit brought by 5,000 of its …

  1. HmmmYes

    Im going to go thru this ruling when its annouced.

    Be intresting to see where the court reckosn the blame lies with and why..

    1. GnuTzu

      Key Considerations

      1) Did the company set reasonable policy, and properly inform employees thereof?

      2) Did the company provide reasonable controls to enforce said policy?

      3) Was there a breakdown in the enforcement of those controls?

      4) Or, did the perpetrator intentionally and successfully evade and circumvent those controls?

      Yeah, it'll be interesting to see how this plays out.

    2. Aqua Marina

      So what happens if...

      A Morrison’s cleaner decides one day to take his mop, and bludgeon shoppers to death with it in store. Has the outcome for Morrison’s changed because of the degree of criminal behaviour.

    3. Persona Silver badge

      The devil is in the detail. If a financial auditor asks for a dump of the payroll data to ascertain there are no inappropriate payments, the auditor will always be given access as it's within the remit of their job. If it's an IT auditor however they should not be given it because it's not their job. However if they say they are auditing the controls that protect the data they do get access to examine the controls. If in the process of examining the controls the IT auditor discovers an issue that allows them to take a copy of the data it's hard to assign employer liability as the employer is running a control process with the aim on ensuring that the data is adequately protected.

      The real difficulty comes when the system and finance people supporting the auditors don't have the experience to know what a financial auditor must be permitted to do compared with what an IT auditor must be permitted to do. Some auditors do their best to bypass the management chain and go straight to the lower level workers that have been pulled in to assist with prior queries. To make matter worse sometimes an IT auditor gathers data for a financial auditor.

      In short it's difficult to provide a control framework that is proof against the very framework they are auditing to be sufficient

  2. Giovani Tapini

    I expect to be flamed

    But I don't quite get it...

    The company must be responsible to some extent for the actions of an employee even if they go rogue and do something dumb.

    I would suggest this may mitigate to some extent damages awarded against them as controls will never be able to eliminate this risk.

    Trying to argue that a corporation has no responsibility for employee actions rogue or otherwise would create all sorts of bizarre anomalies. This would surely mean that the guys fixing LIBOR were nothing to do with their employer either.

    Effectively corporates would gain almost total immunity to the law if taken to its furthest (and possibly ridiculous) extent. Every issue would simply require a scapegoat found.

    1. Nick Kew

      Re: I expect to be flamed

      The corporation is responsible for the corporate culture and environment in which things happen. I would hope that would be considered relevant to the level of corporate blame and/or responsibility when bad things happen.

      That's why employees have to go through all that tedious box-ticking training, on subjects ranging from Elfin Safety to Diversity Awareness. So when Dodgy Joe gets accused - rightly or wrongly - of harassing Dodgy Jo, the company has at least not been negligent in failing to educate him.

      Bottom line that I expect Morrisons are trying to argue is that this was so far from acceptable within their corporate culture as to be totally distanced from them. That would be very different to an "everyone does it" culture that seems to have affected banking.

    2. Oliver Mayes

      Re: I expect to be flamed

      No employee should be able to fully export their payroll data and take it out of the building. The company should be liable for not securing that data at the very least.

      1. Black Betty

        Re: I expect to be flamed

        RTFA: Skelton was specifically tasked with providing that payroll data to KPMG. Whilst doing so he took a copy for himself.

        1. Anonymous Coward
          Anonymous Coward

          Re: I expect to be flamed

          Once upon a time, long before the InterwebzOfTwattery became a saleable (if laughable) concept, there was this thing called "two factor authentication".

          It's even been written about on this fine organ here from time to time.

          In oversimplified terms here (and in some other well documented cases), you might see a setup where one player has access to the bits in the file, but not to the 'meaning' of those bits, and a different player has access to the meaning (but doesn't have access to the bits).

          It therefore takes two untrusted players before it becomes easy for information to leak.

          One of the two players in this picture was a Big Four auditor [1] but y'know, set that aside for now.

          What difference might such a concept have made in this case?

          [1] KPMG's audit work unacceptable, says watchdog

          https://www.bbc.co.uk/news/business-44526486 (and elsewhere, 18 June 2018)

          The auditing work of one of the world's "Big Four" accounting firms has been sharply criticised by the industry's watchdog. KPMG audits had shown an "unacceptable deterioration" and will be subject to closer supervision, the Financial Reporting Council said. The FRC added all the Big Four - which also include PwC, EY and Deloitte - needed to reverse a decline.

          [...]

          KPMG came in for criticism over its audit of collapsed construction firm Carillion earlier this year, and the FRC has opened an investigation into the group under the Audit Enforcement Procedure.

          The auditor was also recently fined £3.2m by the watchdog over its audit of insurance firm Quindell. Last year, the FRC opened an investigation into KPMG's audit of the accounts of aero-engine maker Rolls-Royce.

          [...]

          1. Allan George Dyer

            Re: I expect to be flamed

            You're confusing "two factor authentication" with "dual control".

        2. kwhitefoot

          Re: I expect to be flamed

          Pure laziness. KPMG should have audited it on-site.

      2. Keith Langmead

        Re: I expect to be flamed

        "No employee should be able to fully export their payroll data and take it out of the building."

        Did you even read the article to the end? It was his job specifically to export that data!

        "Skelton, the data thief, was an IT auditor for Morrisons."... "After external auditor KPMG asked for copies of various data including the entire company payroll, Skelton made a private copy of it from an encrypted USB stick."

        So not only was he the one tasked with making the copy, the export had been made to an encrypted device which to my mind suggests Morrison's procedures had taken care to protect the data in transit, but he while knowing the details to access that secure drive made the copy from there and not from their systems directly (so avoiding any audit logging they might have in place for tracking mass exports).

        1. Doctor Syntax Silver badge

          Re: I expect to be flamed

          "It was his job specifically to export that data!"

          It wasn't his job to export the data for himself to take away. It's up to Morrisons to have sufficient controls in place to prevent that.

          1. Nick Kew

            Quis custodiet ipsos bootstrap?

            It wasn't his job to export the data for himself to take away. It's up to Morrisons to have sufficient controls in place to prevent that.

            Morrisons then has to employ (or contract) someone to devise and implement such controls.

            As I said, though, this is non-trivial and there is an implicit trust placed in IT personnel. The implication is generally that a skilled admin will never be able to work in that field again if he wilfully and maliciously abuses that trust, so the risk is considered small.

            It would be ageist to refuse to hire a skilled admin close to retirement. Sexist to refuse one who might leave the workplace to become a full-time mother. And clairvoyant to know your sysadmin has an entirely new career lined up.

            1. phuzz Silver badge
              Unhappy

              Re: Quis custodiet ipsos bootstrap?

              "a skilled admin close to retirement"

              Retirement? That's that thing that boomers do where they just stop working, right?

              Don't worry, no one under forty will be able to afford that, even if we do live until eighty or whatever the retirement age is by then.

        2. Roland6 Silver badge

          Re: I expect to be flamed

          "The key question of any case of vicarious liability is whether the employee was acting in a personal capacity, or in the course of their employment."

          "After external auditor KPMG asked for copies of various data including the entire company payroll, Skelton made a private copy of it from an encrypted USB stick."

          So it is clear that at the moment Skelton made a private copy he was acting in a personal capacity and not in the course of his employment. So if ACAS have it right, Mr Justice Langstaff's December 2017 ruling is based on flawed understanding and thus is unsafe. Reading through the original judgement I think para 183 makes clear that Langstaff has confused Skelton's personal preparations to disclose information with the course of his employment and starts to write his own narrative based on faulty logic and goes on to reframe evidence to 'support' his faulty understanding.

      3. a pressbutton

        Re: I expect to be flamed

        well, you pretty much do that every time you pay them.

        the point is procedures / safeguards / security and control (as others have said)

    3. Tom Melly

      Re: I expect to be flamed

      Unlike the LIBOR stuff, the employee here was acting against the interests of the company, so there's no question that Morrisons encouraged this by any means.

      I honestly can't see how they're liable, since I can't honestly see how they could have prevented this. The guy wasn't acting out of ignorance - he damn well knew what he was doing was wrong.

      1. Anonymous Coward
        Anonymous Coward

        Re: I expect to be flamed

        > I honestly can't see how they're liable ...

        If you employ someone, and they do something which damages other people... you (the employer) are liable for it. The motive of the employee isn't relevant, as you're the responsible party.

        1. Anonymous Coward
          Anonymous Coward

          Re: I expect to be flamed

          "If you employ someone, and they do something which damages other people... you (the employer) are liable for it. "

          So if I deliver pizzas for your pizza company, and I run over someone, you expect to be charged for murder?

          1. eldakka

            Re: I expect to be flamed

            So if I deliver pizzas for your pizza company, and I run over someone, you expect to be charged for murder?

            This case isn't about criminal charges, it is about civil liability - fines/monetary compensation.

            And in that case, absolutely would the pizza company have to pay some level of compensation to the victim and or victim's family. If for no other reason than they hired someone and placed them in a role (drving a death machine) they were not suited for.

      2. Dan 55 Silver badge

        Re: I expect to be flamed

        I honestly can't see how they're liable, since I can't honestly see how they could have prevented this.

        Encrypt it with a password/secret that he didn't know.

        1. Brewster's Angle Grinder Silver badge

          Re: I expect to be flamed

          "Encrypt it with a password/secret that he didn't know."

          Okay, let's suppose a prescient designer set up the system so that when an encrypted archive is exported, the password is handed to a nominated second user, and that the two users don't collude while transferring it to the external auditor, then we still have a person (the external auditor) who has access to the data on unaudited media and has the password.

      3. eldakka

        Re: I expect to be flamed

        Unlike the LIBOR stuff, the employee here was acting against the interests of the company, so there's no question that Morrisons encouraged this by any means.

        I honestly can't see how they're liable, since I can't honestly see how they could have prevented this. The guy wasn't acting out of ignorance - he damn well knew what he was doing was wrong.

        So, what about this example.

        An on duty COP on foot patrol sees someone he doesn't like walking along minding his own business, pulls his service firearm and shoots dead that person.

        Are you saying that the Police Force (or it's government overseers) couldn't be held accountable, couldn't be sued, for the unconscionable, totally against any and all police training and procedure and unforseeable, actions taken by the COP?

        Or, while on-duty, a COP uses police databases to find the home address of someone who's address may not otherwise be easily publicly available, say of a Judge or other official who's information is usually kept restricted, also stealing a firearm from the evidence locker. Then, later after they've gone off duty, they take that firearm they stole from evidence around to that persons home address and shoots them dead.

        Are you saying the Police Force would have no liability because it was against training and policy, and it was criminal/civil acts (violated data access policies, stole from the evidence locker)?

        The common situation is as follows:

        1) Person obtains information and/or items through their employment, that they otherwise would not have access to.

        2) Person uses said information and/or items in a criminal act and/or civil tort while still also employed by that employer.

        Employer bears some element of responsibility under normal common law tort which would then by decided in a court (or optionally out-of-court settlement if civil), maybe only 5% responsibility, say slap-on-wrist $1000 fine, maybe significant responsibility, say 35%, so significant penalty, $25k fine, maybe majorly responsible, 60%, $100k fine and potential criminal liability also gets investigated.

        And that is under everyday common law tort. But here we have specific legislation to also consider that covers liability.

    4. phuzz Silver badge

      Re: I expect to be flamed

      If your payroll data is internal then your backup admin can probably get at it. Most companies don't have a specific backup admin though, so it'll be any/all of your sysadmins, plus their manager who's insisted on having domain admin credentials despite not having done any support work since NT 4.0.

      Even if you work in the one company in a hundred that's prevented their sysadmins from having access to all systems, at some point someone in accounts is going to have to pay people, and that means access to the payroll data.

      1. Dr. Mouse

        Re: I expect to be flamed

        If your payroll data is internal then your... admin can probably get at it.

        That depends on the setup.

        While not trivial, it is possible to make a system which will not allow the admins access to full plaintext data. Data security concepts require restricting the data to only those who need access.

        As I said, though, this is non-trivial and there is an implicit trust placed in IT personnel. The implication is generally that a skilled admin will never be able to work in that field again if he wilfully and maliciously abuses that trust, so the risk is considered small.

        In this case, the only way I can see that this could have been prevented would have been to make the export encrypted using a key known only to the auditor: Maybe using asymmetric encryption, or just a passphrase entered directly by the auditor. However, you still have to trust that the auditor won't leak the data...

        I agree with the above comments: As long as Morrison's data protection policies, procedures and systems are good, the fact that the employee criminally stole the data should at least reduce their culpability in this matter. Reading between the lines, there is no suggestion that their procedures and systems were not up to scratch. The vast majority of the blame should lie with the thief, and Morrison's should learn from this incident and improve procedures to make it more difficult in the future.

      2. Alan Brown Silver badge

        Re: I expect to be flamed

        "If your payroll data is internal then your backup admin can probably get at it. "

        And as such, you need to observe GDPR or data protection rules - starting with the absolute minimum set of people able to have access as possible and controls to prevent misuse.

    5. Someone Else Silver badge

      Re: I expect to be flamed

      Trying to argue that a corporation has no responsibility for employee actions rogue or otherwise would create all sorts of bizarre anomalies.

      Of course it would, one of which would be the "Libertarian Utopia" all 1-percenter corporatists cream their Brooks Bros. slacks over.

  3. silks

    Indeed, Morrisons are responsible for the actions of their employees.

    1. Nick Kew

      So when a Morrisons employee crashes their car, the victims (or their family) will know where to turn for compensation? Even if the employee was under no pressure of work, no need to hurry?

      1. Tom Melly

        Does he crash it whilst on company business or during his own time? Besides, not that relevant unless the driver had no insurance.

      2. Doctor Syntax Silver badge

        "So when a Morrisons employee crashes their car"

        Who's "their" in this context? If it's Morrisons' car then very likely their responsbility: either he's on Morrisons' business or he's taken it without their permission and Morrisons failed to have sufficient controls in place. If it was his own can and he was driving for his own purposes then it was nothing to do with Morrisons. However when an employee is using Morrisons' own computing facilities then they have to have some responsibility for what's done with them.

        I've got to go out now. I need to get some bread at Morrisons.

        1. Anonymous Coward
          Anonymous Coward

          Do you let a bull run riot?

          If you fence in a bull, and it escapes, we can discuss who is to blame.

          If you leave the door open, and the bull escapes, do we need to discuss if the bull is to blame or the one who left the door open?

    2. Jason Bloomberg Silver badge

      Morrisons are responsible for the actions of their employees

      Not entirely. It depends on what those employees do and what steps an employer has taken to prevent that and ensure it does not happen.

      There are things which an employer has little control over and they are unlikely to be held culpable when that happens. But, in this case, the courts have determined Morrisons did not do enough and that's what leads to them being held culpable.

      Whether an employee should be held culpable should an employee go postal and shoot-up the office is often presented as obviously being beyond an employer's control. But the fact is it comes down to how likely that is to happen and what an employer had done to prevent or mitigate such a thing. If they effectively allowed it to happen when they could have prevented or mitigated it but failed to they will be held culpable to some degree.

    3. Warm Braw

      Morrisons are responsible for the actions of their employees

      If you follow that logic to its conclusion it expalins MGM suing the victims of the mass shooting in Las Vegas.

      In practice, I would hope responsibility would depend on the extent to which Morrisons were negligent in exercising reasonable controls to prevent such incidents happening. And in that respect, I'm far more concerned that KPMG felt entitled to an entire copy of the company's payroll, without any form of obfuscation, and that their request went apparently unchallenged.

      1. Ochib

        "MGM suing the victims of the mass shooting in Las Vegas."

        MGM is not suing for money, but the company wants a federal court to rule that it cannot be held liable for the shooting by more than 1,000 victims and others it named in the suits. The company said it named only people that have already sued or given notice that they intend to do so.

        It is based on a federal law passed after the Sept. 11 terror attacks, which is known as the Support Antiterrorism by Fostering Effective Technologies, or Safety, Act.

        The law is intended to shield federally certified manufacturers of security equipment and providers of security services from liability should they fail to prevent a terrorist attack, which the law defines as an unlawful act that causes mass destruction to citizens or institutions of the United States.

        MGM contends that under the law, which Congress passed in 2002, it is immunized from liability because it met two conditions: A security company that was hired for the concert had a certification from the Department of Homeland Security, and the shooting qualified, in the company’s view, as an “act of terrorism.”

      2. Dr. Mouse

        I'm far more concerned that KPMG felt entitled to an entire copy of the company's payroll, without any form of obfuscation, and that their request went apparently unchallenged.

        Ditto. Did they need the payroll in it's entirety? I doubt it, but it is easier to ask for that than it is to ask for only certain parts, with obfuscated/anonymised fields, and request specific additional data later if needed.

        1. The Nazz

          What surprises me ...

          Is that the request from KPMG for a copy of the entire payroll database wasn't managed at Board level, specifically by the Financial Director ( CFO equivalent) and should have been performed by someone in the Finance and Accounting department, much more senior than Skelton*. Purely for organisational reasons alone. If at all, why on earth KPMG were not made to do their work on the database whilst under complete scrutiny and security at all times baffles me.

          *Yesterday's BBC article on this matter described Skelton as a Senior *Internal* Auditor, a different role, and not merely an IT auditor though these days IT functions would make up a large proportion of his work.

      3. Anonymous Coward
        Anonymous Coward

        Auditors have more power than most employees...

        You would be surprised (or perhaps not) to know just how often a request for data that is otherwise strictly locked down is waved through because "the auditors have asked for it". But the auditors cannot be granted access to the data directly, because of the controls that the auditors insist on being in place.

        So a new rule is created that allows an employee to be given the access they need to provide the auditors with the data they want (I hesitate to use the word "need" here). And as soon as you have that then you have created a bond of trust with any employee given that access. Trust is more easily broken than any control can be circumvented, especially if you have a toxic relationship with the trusted party.

        The fact that any disciplinary process existed at all in respect of the person involved in this case could be seen as a significant indicator of a breakdown of trust - on one, other or both sides. I imagine the courts might be considering that factor not being adequately weighted in the lack of any additional oversight or supervision being applied, until such time as that trust had been re-established with a degree of confidence.

  4. Anonymous Coward
    Facepalm

    Just another tax.

    Would the Company be vicariously responsible if the same employee had gone postal as a result of the grievance. I don't think so!

    Lessons learned! If an employee throws a wobbler, give them a zombie knife, not a USB stick.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just another tax.

      Would the Company be responsible if the same employee had gone postal?

      Doubt it but I don't know. But they are liable for criminal misconduct of employees within the scope of their employment, that is a well established principle of English law.

      That appears to be the case here, and Morrisons are still trying to weasel out of their responsibility, despite having lost two rounds in court. I hope they'll lose again, bastards. It is worth translating the argument from data to money, to see how the principle of their argument works. Imagine I put my savings with Morrisons Supermarket Bank plc. There's a theft by an employee. Morrisons argument would be "Sorry, you can't have your savings back. They were stolen through an inside job, by one of our employees, but because he broke the law it's not our fault, so you'll have to sue him".

      1. aje21
        Big Brother

        Re: Just another tax.

        If a company provides a mechanism by which an employee can transfer client's savings to their own account without anyone needing to approve the transfer, no audit picking it up, etc. then I would suggest they should be liable. In this case the employee was doing the transfer to an outside party as part of their job and *copied* the data in the process. Can't really do that with money...

        If the data which was being provided to the outside party had gone AWOL then the company should be liable. I don't know enough about this specific case to say for sure if Morrisons should be liable for the data breach, but as a principle of law it seems odd that a company should be considered responsible for the actions of its staff when they are NOT doing what the company has instructed them to do.

        If a company has rules in place to prevent data breaches (and suitable technology too) and someone specifically does something against those rules it has to come down to what measures were in place to stop it being possible or to detect it had occurred before the data could get out of the building.

        1. DavCrav

          Re: Just another tax.

          "no audit picking it up"

          He was the internal auditor. And he was giving the data to the external auditor. And it was noticed.

          1. Doctor Syntax Silver badge

            Re: Just another tax.

            "And it was noticed."

            It was noticed by the Argus because he sent them a copy and they did the right thing and notified Morrisons.

      2. Tom Melly

        Re: Just another tax.

        Not that relevant - a bank can pay back the stolen money, and has a clear responsibility to do so, negligent or not. In this case, we talking about a punitive fine that, IMHO, should only be issued if the company can be shown to have done something wrong (which doesn't seem to have been the case).

  5. Doctor Syntax Silver badge

    “render the court an accessory in furthering Mr Skelton’s criminal aims”

    Nice try. Admirable, even.

    But it conflates two issues. One is his criminal aims for which, according to TFA he's been tried and convicted. The other is in Morrisons' conducting their business in a manner which allowed him or anyone else to do this whatever the aims.

    1. Anonymous Coward
      Anonymous Coward

      He was an auditor. He needed access to the full payroll data to do his job. How were Morrisons supposed to be able to mitigate against what he did? Strip searches of staff at the end of each working day to look for hidden USB drives?

      The law needs to be able to hold companies to account where they've contributed to criminal activity, but there has to be some balance, otherwise the courts are just punishing the (corporate) victims. In the meantime the cost of business risk insurance will get pushed up to cover this factor, and everyone ends up shouldering the costs through higher prices.

      1. Anonymous Coward
        Anonymous Coward

        Morrison’s are clearly negligent by not blocking USB drives with a Group Policy.

        1. Just Enough

          valid use

          And what if using USB drives are an active and valid part of business operations?

          1. Velv
            Boffin

            Re: valid use

            And what if using USB drives are an active and valid part of business operations?

            Then there will be clear policies and training in place about what is acceptable and what is not acceptable, and appropriate level of controls.

            For example at a site I previously worked at there is a valid business process that requires a weekly transfer of sensitive data.

            There is a four eyes policy on the extraction and loading of the data - two people must undertake the task.

            The USB ports are software locked - a break glass account is used to complete the task and that account has the role based access to use the USB port. There is an approval process to obtain the break glass credentials and their use is time bound.

            The USB stick is encrypted to a high standard,

            The USB stick is transported by a third party security provider using tamper evident pouches.

            This does not prevent theft of the data, it just makes it extremely difficult without collusion between several people.

            Did Morrison’s just let the guy gave access to open USB ports with no auditing of the data, and no policy about removing USB sticks from site? Very possibly, and therefore it did not take reasonable precautions to prevent loss.

            1. Doctor Syntax Silver badge

              Re: valid use

              "Then there will be clear policies and training in place about what is acceptable and what is not acceptable, and appropriate level of controls."

              Including staff selection policies. If he'd been warned about misuse of company facilities should they have reviewed the level of continued trust placed in him?

              1. Anonymous Coward
                Anonymous Coward

                Re: valid use

                "should they have reviewed the level of continued trust placed in him?"

                Tricky - you're suggesting that consideration should have been given to firing him or moving him to a non-auditor post because he'd been caught sending a private letter through the company post. I can see that going down well in the resulting employment tribunal.

  6. Andy The Hat Silver badge

    How far the employer can be responsible for an employees actions?

    If something is done in work's time and in the interests of the company it can clearly be argued that the company should be vicariously responsible. If actions are committed against the company then surely that company cannot be held vicariously responsible for it's own demise?

    If the company were enabling actions (by providing access to the data in the normal course of duties) then the court appears to be saying that the company is vicariously responsible. However, when a guy went for an 11 mile jolly involving a 'police chase' and demolition of loads of cars with a massive dumper truck in Norfolk (which he was legally employed to drive) *he* was held responsible, the company were not.

    I think this opens a can of worms. What the Judges appear to be saying is that if an employee wants to take the company down, they should do it in the office, in work's time, using a computer.

    1. David Neil

      What controlsand monitoring did Morrison's have around data useage?

      Anyone copying that amount of sensitive data should be setting off alarms and having to account for it

      1. Anonymous Coward
        Anonymous Coward

        That type of alarm wouldn't work. The breach was not in that he accessed that amount of data, but that he was able to take a second copy of the data and exfiltrate it for his own nefarious purposes.

  7. Nick Kew

    Precedent

    Isn't there a potentially-troubling precedent here? One that looks a bit like a BoFH column, in which Simon Gets His Way by blackmail - threatening The Boss with a leak like this?

  8. jms222

    Access is not the same as bulk export

    > He was an auditor. He needed access to the full payroll data to do his job.

    and should have been able to view what he needed in summary and record by record sitting at a terminal on the company's premises. He never needed the ability to insert a USB device and bulk export to it.

    For that reason I think Morrison's are at least partially to blame.

    1. DavCrav

      Re: Access is not the same as bulk export

      "and should have been able to view what he needed in summary and record by record sitting at a terminal on the company's premises. He never needed the ability to insert a USB device and bulk export to it."

      From the article:

      "After external auditor KPMG asked for copies of various data including the entire company payroll, Skelton made a private copy of it from an encrypted USB stick."

      And how would KPMG get it if not via some sort of export mechanism?

      1. Anonymous Coward
        Anonymous Coward

        Re: Access is not the same as bulk export

        "After external auditor KPMG asked for copies of various data including the entire company payroll, ...

        Morrisons were clearly at fault for not saying "no, you come and inspect the data on our premises". Even on an encrypted drive, KPMG would have needed the password, so there was no real guarantees other than KPMG's promising to be good boys. The obvious lesson here is that data needs to be properly controlled, but there's two more lessons:

        1) Exporting sensitive data in bulk to other companies is a really stupid idea for any reason. I don't buy the idea that KPMG really needed a copy of the data - access, yes, but a copy on their own systems, not in a million years. I suspect they were doing a desk audit at KPMG Towers because somebody somewhere balked at the idea of a couple of audit juniors spending two days on site.

        2) If you have to assume that you can't trust your own auditors, why should you assume that you can trust an external auditor?

  9. David Roberts

    Worrying level of blame redirection.

    There seem to be conflicting issues.

    (1) a company shouldn't be able to wash its hands of something an employee does under all circumstances

    (2) a company shouldn't be liable for what an employee does under all circumstances

    As reported, the employee had legitimate access to the data and decided to make an extra copy. I would guess that most sysadmin types have the ability to do this undetected at some time or other (see virtually every Who Me? episode).

    Analogies are always dodgy, but without total mind control how do you prevent employees breaking the law? Does ever employee have to have another employee monitor every keystroke? Should every employer institute a strp search including major bodily orifices every time an employee enters or leaves the workplace? If an employee working from home downloads porn onto a work PC is the company liable? I (think I) know that if someone manages to sneak drugs onto your property without your knowledge or consent you are still liable under English law.

    Bottom line; it isn't clear how Morrisons could, within normal business constraints, have prevented this. It may rest on how reasonable it is to have all external access (USB and other exchangeable media such as CD/DVD) disabled on all machines and all data in and out of the network heavily inspected for signs of illegal transfer. However you are then heading towards military levels of security and the consequent costs.

    Also worrying is the mention of insurance, which seems to suggest that the business should not go to the expense of policing the workplace and instead just insure against any fine. Very financial industry where fines for breaches of regulations are often treated as the cost of doing business.

    1. Oddlegs

      Re: Worrying level of blame redirection.

      Bottom line; it isn't clear how Morrisons could, within normal business constraints, have prevented this

      This is the crux of the matter. If a rogue employee wants to get data out they will. Even in military environments I suspect a major deterrent against wrongdoing is the fear of personal punishment rather than any steps the employer may have put in place to prevent them. Morrisons should be responsible for compensating any actual losses but I doubt the majority of the 5000 claimants have taken any action as a result of the breach other than saying 'yes please' to a lawyer who came calling promising them some cash.

    2. Steve Todd

      Re: Worrying level of blame redirection.

      Bottom line; it isn't clear how Morrisons could, within normal business constraints, have prevented this.

      Other than by, for example, making it company policy that sensitive information should not be loaded onto a USB drive, and by applying technical controls to ensure that it didn't happen. If the external auditor truly needed access to this data then provide him with a remote desktop account so that he can see it but not download it.

      What part of that was difficult?

      1. Anonymous Coward
        Anonymous Coward

        Re: Worrying level of blame redirection.

        "making it company policy that sensitive information should not be loaded onto [removable storage]"

        I've worked with several companies with such policies that apparently exist solely for corporate-CYA reasons.

        Ethics and anti-corruption policies, for example, seem to only apply to the little people on the shop floor or in the offices. In the boardroom and where the real deals are made, anything goes.

  10. Anonymous Coward
    Anonymous Coward

    All that because..

    "for using its postal facilities for himself"

    He caused all this trouble over a few postage stamps?

    That's some next level vindictiveness right there. How petty.

    1. Hollerithevo

      Re: All that because..

      I suspect it was more than a few postage stamps. I've been at companies where the mail room person shook his head over people clearly doing some sort of side business, using free postage, parcel delivery etc. More than merely having your online shopping delivered. He didn't report if because the guy was senior. I know companies tend to shrug when employees get birthday cards etc sent for free, but that's just secretaries and middle managers. Above that, senior managers should set an example of integrity. Auditors most definitely have to show personal and well as professional integrity. If I had to censure an internal auditor over what was theft, I would be seeking to encourage him to move elsewhere. I would also be keeping a beady eye on him. Keystroke stuff, for instance.

  11. jms222

    Military levels of security

    Give me a few minutes with a screwdriver and a tube of glue and I'll show you how far you can get at least with USB and optical drives.

    There are also ways to disable USB and USB storage in operating systems which assuming you prevent booting from other stuff goes a long way.

    1. Oddlegs

      Re: Military levels of security

      You're right. It's trivial to disable USB devices to prevent data getting out

      ...and internet access

      ...and remote working

      ...and printing

      ...and mobile phone cameras

      But do all of the above and just wait for the complaints from staff about how 'their employer doesn't trust them and is making it impossible to do their job'

      1. Anonymous Coward
        Anonymous Coward

        Re: Military levels of security

        But do all of the above and just wait for the complaints from staff about how 'their employer doesn't trust them and is making it impossible to do their job'

        Doesn't have to apply to everybody. I do confidential stuff all the time, and I am classed as a "mobile worker", but I don't deal with sensitive personal data, and I don't have access to our payroll data, or HR database. I think you'll find that the people who do have access to these databases are relatively junior, and office based, where they have to accept the controls. If the HR director or senior managers of Morrisons have access to the HR database, something's very, very wrong. An auditor I can understand having access - but still shouldn't be able to exfiltrate bulk data as easily as he did.

        1. Anonymous Coward
          Anonymous Coward

          Re: Military levels of security

          "I think you'll find that the people who do have access to these databases are relatively junior,"

          When something vaguely similar to this happened once where I worked (couple of HR employees after hours perusing salaries in HR database) then it was a couple of YTS trainees involved ... and when someone more senior came in and found them they were ex-YTS trainees pretty rapidly. N.b. "YTS trainee" dates this as being some time ago so while almost everyone knew what had happened the idea of claiming compensation never occured to any of us

  12. shedied

    Something new

    He went postal first.

  13. MJI Silver badge

    Morrisons need to counter sue

    The rogue worker.

    He should pay any fine Morrisons incurr, simply because he had to have access to the data to do his job.

  14. Anonymous Coward
    Anonymous Coward

    Difficult

    I was on the side of Morrisons when reading the article. I could go rogue this very moment and dump loads of data for the company I'm in and no one would know before it's to late. How can you blame the company I work for, for that. The position I'm in, I have access to everything? As far as they are concerned, I'm decent and honest (I am, I'm just using this as hypothetical example).

    But then reading some of the comments it's now difficult because as mentioned, if Morrisons are let off, incidents like Libor could happened more or the Tesco finance fraud.

    I guess you could say what was the company culture there like? If he got a bollocking for using internal mail for himself, how did they go about it? Did they bollock him in a truly embarrassing way. It could then be argued their company culture caused this, so they are at fault. Or did they respectively ask him to stop abusing the internal mail and then because he's a cock he just went postal anyway?

    1. Roland6 Silver badge

      Re: Difficult

      >"I was on the side of Morrisons when reading the article. ...

      But then reading some of the comments it's now difficult"

      Suggest you read the original judgement, it is clear there are many red herrings, including the use of a USB stick. Fundamentally, Skelton at an instance in time had both the authority and means to transfer sensitive information outside of the Morrison's walled garden. The only question is whether he actually needed to be able to see the data ie. access it in its unencrypted form, or just needed to handle and pass on an encrypted file.

  15. Anonymous Coward
    Anonymous Coward

    Quite unethical I'd say...

    If this man was a properly trained IT Pro with an ethical backbone, then he should have fought the company from within. If you want a payback, wipe out a server or 2 and let them swim for 2 days trying to recover than put at risk so many others of your colleagues.

    Morrisons should be perhaps partially liable but I can't see for what. This guy was IT and probably would have had extra access right to a lot of things to allow him to do his job anyway and they place a certain level of trust in him being a Pro.

  16. Anonymous Coward
    Anonymous Coward

    The obvious resuilt of this will be articles and comments in a year or two's time about how impossible IT work is becoming with all the additional audit trail forms needing to be filled in and rules preventing IT staff working without anyone else to supervise them along with CCTV recording everything 24/7

  17. Anonymous Coward
    Anonymous Coward

    Judge is the criminal OR

    So if a police or military person goes nuts while on duty and murders people, the government is to blame as much if not more than the nut job? or does this law only apply to private sector? So if a pizza delivery person gets a speeding ticket, will the pizza company have to pay part of the fine? If I work for a company that I want to ruin, and I do illegal things, will it get myself or the company in trouble - ohhh I guess we know the answer,........

  18. Anonymous Coward
    Anonymous Coward

    So let me get this straight...

    The perpetrator's primary objective was to ruin his employer but the only way he could succeed is with the collaboration of the judicial system?

    The irony is that their action is supposedly not perverting the course of justice.

    You couldn't make it up.

    More source material for the NottheOnion website :/

    1. Nick Kew

      Re: So let me get this straight...

      Quick lesson in life: that's the primary purpose of the judicial system. More expensive than hiring a gang of thugs or an assassin, but does a more thorough job and leaves you in a stronger position if you feed it sufficient gold.

      C.f. patents, for an application area likely to be more familiar around here.

  19. Anonymous Coward
    Anonymous Coward

    Are the courts trying to make law rather than just uphold it?

    Since when has a company been liable for the criminal acts of its employees acting in direct contradiction of company rules?

    As an analogy, if an employee released a major environmental pollutant on company property in order to damage his employer, why would the employer be punished?

    And if the perpetrator was a Tory MP, should Parliament be held liable and punished, or the Conservative party? If not, why not? What's the difference with this case?

  20. Multivac

    Hey....

    ..... could someone please tell the dude in the picture for this article that if they pop a bit of tape over their web cam they could probably take that balaclava off.

  21. Aristotles slow and dimwitted horse

    So whilst every other company...

    So whilst every other company would either take it on the chin, and/or continue to invest in DLP initiatives and services, Morrisons only concern is about it's image??

    I'm glad I stopped shopping there years ago. Although they do have a fab bakery in the store in Horndean.

  22. Tom Paine

    "Trusted partners"

    After external auditor KPMG asked for copies of various data including the entire company payroll,..

    I'm an infosec grunt in the trenches. See these scars? KPMG annual audit. These ones -- management consultancy at another Big Four firm who likewise wanted basically unrestricted access to everything. And so on and so forth.

  23. Aodhhan

    Poor article--Where is the information on due care

    Horrible investigation by the author. It leaves far too many questions unanswered.

    No mention of whether or not the company has policies in place regarding data--or if the company practices proper due care and due diligence. Which is going to be the center piece.

    Due care is often the primary checkbox item regarding negligence and liability. The article should have really pursued this aspect--and failed to do so.

    Did the employee have to circumvent policies/procedures... or was the data just handed to him?

    When and how did the company find out about this?

    Was a background investigation required for certain employees? ...on and on.

    If a company doesn't do anything to protect data--especially regulated data--then it is negligent. Data must be protected logically as well as administratively. A person shouldn't be able to just ask for or have access to all data without controls.

    Companies all over the globe are learning the hard way about due care.

    1. Roland6 Silver badge

      Re: Poor article--Where is the information on due care

      >"No mention of whether or not the company has policies in place regarding data--or if the company practices proper due care and due diligence. Which is going to be the center piece. ...

      It's all there in the relevant official documents; it was by referring to the security logs that they traced the leak to Skelton.

      Interestingly, Justice Langstaff in his December 2017 judgement skirts around the real issue, namely 'trust'. It is clear that he thinks and argues that Morrisons were not wrong in the level of trust they gave Skelton, nor were they negligent in their use of the security logs ie. only referring to them after the event.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like