HR and Compensation & Benefits specialists are set to join the growing number of professionals for whom cyber security is a priority.

A recent data breach at supermarket chain Morrisons and the subsequent court cases bring into sharp focus why cyber security is something all stakeholders should have high on their agenda, not least the executives in the Human Resources department. 

In October 2018 a Court of Appeal ruling confirmed (opens a new window) that Morrisons is liable for criminal misuse of its data in a breach that saw salary and bank data of employees posted online. The case not only exposed the supermarket chain to compensation claims for “upset and distress” but also to potential negative publicity and remediation costs. It serves as a reminder that sensitive data sitting in the HR department may need special attention and protection.

“The court decision suggests that keeping sensitive, personal data secure and protected should be included in the responsibilities of HR executives along with the traditional tasks of attracting and retaining talent, maximising the employee value proposition, or supporting employee well-being and managing cost effective benefits,” said Chris Rofe, Senior Vice President in the UK and International Benefits Practice at Lockton.

How it happened

In 2013 Andrew Skelton, a senior information technology (IT) internal auditor at the supermarket chain, received a formal verbal warning for using company posting facilities for private purposes. He was also accused of “dealing in legal highs” while at work. The auditor continued in his duties however increasingly bore a grudge against Morrisons as a result of the disciplinary action. 

In 2014, during the course of his auditor duties, he requested the company’s payroll data in order to conduct an annual audit. A member of the HR team copied the data onto an encrypted USB stick which Skelton transferred onto his work laptop and made an additional copy onto his personal USB drive. 

Skelton then took the data from the USB drive and posted personal information from 99,998 employees on the file sharing website Tor. The data consisted of names, addresses, bank account details, salaries and national insurance numbers. 

He later sent a CD with a copy of the data to three newspapers, just as the company was about to announce its annual financial results. 

Shortly after Morrisons’ management became aware of the data breach, investigations led to the arrest of Skelton who was subsequently sentenced to eight years in prison. The case reportedly cost Morrison’s more than £2 million in professional and legal fees to remediate the data breach. 

This was not the end of the matter, though, as 5,518 former and current employees of Morrisons lodged a class action against the company, claiming the breach exposed them to identity theft and potential financial loss and that Morrisons was responsible for breaches of privacy, confidence and data protection laws. 

Morrisons claimed in a statement that the courts had not blamed the company for the way it protected colleagues' data. Nevertheless, in October 2018 Morrisons’ employees won their case in the High Court which ruled that Morrisons was ‘vicariously liable’ for Skelton’s actions, and would have to pay compensation. Morrisons appealed the judgement which was dismissed at the Court of Appeal and they are now considering a Supreme Court Appeal.

“There are a number of cyber security methods that could have prevented this breach,” said Peter Erceg, Senior Vice President Global Cyber and Technology at Lockton.

“Insider threat software could have been used to detect unauthorised copying of such sensitive data as an example, but often it’s the reluctance of HR to allow the use of such tools either on a general basis or to monitor usage of high risk roles or individuals that removes this ability,” Erceg noted. 

In addition, controls could have been put in place to stop the copying of data onto USB storage or cloud storage facilities or at least report when this has happened, he explained.
“There often is very little challenge the other way, from HR to the security teams on what controls are in place to protect their most sensitive information from the HR and payroll systems,” Erceg said. 

An ounce of prevention

Similar cases may become more painful for companies in the future after the introduction of the new general data protection regulation (GDPR) in 2018, which includes tighter standards for data protection in Europe and fines of up to €20 million or 4 percent of annual global turnover, whichever of both is highest.

By not involving enough stakeholders in their cyber breach plans, particularly the HR department, companies may be leaving themselves exposed. While 96 percent of businesses said that the head of IT is involved in the cyber breach scenario planning only 7 percent said the same about the head of HR, according to the Lockton Cyber Security Report 2017. 

“The Morrisons case shows that the HR department needs to be a strong voice in their company’s cyber security strategy,” Rofe said. “The impact of a breach can be far reaching, affecting multiple parts of the business and if it impacts or involves staff then HR will play a key role,” he added.  

For further information, please contact:

Chris Rofe, SVP, Employee Benefits

Tel: +44 (0)20 7933 2876 | chris.rofe@uk.lockton.com (opens a new window)                         

Peter Erceg, SVP, Global Cyber & Technology

Tel: + 44 (0)20 7933 2608 | Email: peter.erceg@uk.lockton.com (opens a new window)