Morrisons data theft smacks of insider hacktivism, say security experts

The theft of payroll data from supermarket chain Morrison smacks of insider hacktivism, say security industry representatives

The theft of payroll data from supermarket chain Morrison smacks of insider hacktivism, say security industry representatives.

Data, including bank account details, has been published online and sent on a disk to a newspaper, according to the supermarket.

Morrisons said its initial investigation does not point to the work of an outside hacker and there has been no loss of customer data. Around 100,000 employees are affected, reports the BBC.

The firm is conducting an urgent review of its internal data security systems and has set up a helpline for its staff.

From the tactics used, the theft is more likely to be an act of revenge or hacktivism, because the perpetrators wanted to make the stolen data public, said Lancope CTO Tim Keanini.

“If they were cyber criminals, it would have been harder to find in the initial stages because it would have been for sale on some darknet and for a price," said Keanini.

“Also, the data being sent to a newspaper is another sign that the perpetrator wanted it to be a very public event.”

Read more about privileged access

The fact that only employee data appear to be involved, said Keanini, is another sign that the theft is unlikely to be the work of cyber criminals, who would typically go after valuable customer data.

The incident, he said, highlights the importance of systems to log all data access and flag any anomalous behaviour by employees using valid credentials.

Mark James, technical director at ESET UK said that, although under early investigation, the incident may demonstrate that the moat around the castle model is redundant if the enemy already lies within.

“While protection against external threats is essential, not all danger comes from outside parties. As such, security policies need to also be as focused on the threats from within,” he said.

Anomalous behaviour

According to James, detection is an important as protection. Appropriate security policies should be implemented to ensure alarms are raised as soon as unusual behaviour is detected.

“Should these hurdles be overcome, the proactive use of encryption should ensure sensitive data cannot be used for any meaningful purpose, should it get into the wrong hands,” he said.

George Anderson, product marketing director at security firm Webroot, said the incident underlines that a well-developed and executed data security policy should be able to protect against all sorts of breaches, including internal ones.

“The best approach to security is to create a layered defence. It should encompass everything, from identity protection and strong authentication like passwords, PIN codes and biometrics, to data encryption which ensures even compromised information can only be used by those with the necessary deciphering encryption keys and permissions,” he said.

Privileged user access

Paul Ayers, vice-president for Europe at security firm Vormetric, said that, like data breaches at US retailers Target and Neiman Marcus, this incident suggests organisations still struggle to protect their data resources from those already legitimately “inside the fence”.

“It is often a case of ineffective management of ‘privileged’ users on corporate networks that causes this type of data breach," said Ayers.

“Every organisation will have employees or contractors who have far reaching, privileged, computer network access rights – and it is how these users are controlled and secured that is often a weak link in the data security framework.”

Ayers said that, despite ongoing high-profile breaches, Vormetric’s research indicates that 73% of organisations fail to block privileged user access to sensitive data. 

“Organisations must be regularly assessing their security position and, more importantly, constantly monitoring their IT systems to detect and respond to data breaches as soon as they happen. In turn, encryption of all data must be viewed as a mandatory, life-saving seatbelt,” he said. 

“It is only with a deep level of security intelligence and data-centric security that businesses will be able to spot suspicious activity as and when it occurs, and stop outside attackers and rogue employees alike in their tracks.” 

Read more on Privacy and data protection