Morrisons – the retail nightmare goes on as data breach undermines confidence

Morrisons-1-300x180So if you’ve just had to admit that your IT systems are antiquated and that your next step to boost your flagging fortunes is to introduce a loyalty card scheme to gather information on your customers, what’s the one thing that you really, really didn’t need to happen?

How about losing the bank account details of 100,000 of your own staff and finding published on the internet in a massive data hack that grabbed names, addresses, bank account numbers and salaries of employees across the business – including board members?

That was the latest turn of events for beleaguered UK supermarket chain Morrisons. Last week we looked at how the retail giant had neglected to invest in IT or in the development of multi-channel capabilities and ended up reporting heavy losses in an increasingly competitive market, a grim warning to retailers all around the world.

With analysts questioning the firm’s decision to invest heavily in online shopping and in creating a loyalty card scheme – which has been beyond the capabilities of the firm’s ageing IT – the last thing thing that Morrisons needed was news to break of a massive data security breach.

In a further humiliation, a computer disk and a note was sent to the media claiming to come from a “concerned Morrisons customer” who came across the data “by accident”. The note said of Morrisons:

“I do wonder if their recent venture online has come too soon for them. If they can’t look after their own people’s data, what chance does their customer’s data stand?”

1297407_Dalton_Philips

Not the best week Dalton Philips has ever had

Morrisons removed the information from the web within hours while informing banks of the security breach which in a further twist appears to have originated from within the organisation.

The firm said:

“Initial investigations suggest this was not the result of an external penetration of our systems.”

No customer data is believed to have been compromised, Morrisons said, and work will be done to ensure that employees will not be “financially disadvantaged”.

CEO Dalton Philips has ordered an urgent review of security while a spokesman for the Information Commissioner said: “We have been made aware of a potential data breach, and we will be making enquiries.”

Meanwhile Morrisons faces the tricky question of how to manage its employees outrage at the problem. It emailed everyone on the internal mail system and of course in true 2014 style it took to Facebook with a letter to staff, also visible in the public domain.

Screen Shot 2014-03-16 at 12.47.33

The letter stated:

“We are extremely sorry to inform you that there has been a theft of colleagues’ personal information, which was uploaded onto a website.

“As soon as we became aware of this last night we took immediate steps to ensure the data was removed from the website. It was closed down within hours of us being notified.

“The information included names, addresses and bank account details of colleagues. This affects colleagues from all levels of the organisation.

“Our immediate priority is the security of your financial information. We are currently working with Experian and the major banks to ensure that we provide full support and assistance to all affected colleagues. This will include support and advice around protection of your bank account.”

It added:

“We are very sorry that this has happened. We will ensure that no colleague will be left financially disadvantaged as a result of this theft.”

All of which seems like decent enough HR. But as ever social media proved to be a double edged sword with irate staffers complaining that they hadn’t been contacted directly.

Screen Shot 2014-03-16 at 12.46.22

And if Morrisons hoped that it would be seen to be taking a personal interest in the evolving crisis then parroting the same ‘party line’ to every angry staff member probably wasn’t the best move in the world:

Screen Shot 2014-03-16 at 12.47.05
Verdict

There was no customer data involved this time it seems.

But I’d think twice about handing over my information as a Morrisons customer until I was convinced that the seeming insider who leaked his or her colleagues personal data wasn’t within a million miles of mine!

None of this makes Morrisons prospects look any the brighter at the end of what has undoubtedly been a lousy week for the supermarket.

 

 

Stuart Lauchlan

Stuart Lauchlan

Stuart Lauchlan has been tracking and commenting on the enterprise IT market for 23 years during which time he's managed to amuse, inform and irritate buy and sell side participants in equal and appropriate measure. Lauchlan also helps companies understand the needs of technology readers.
Stuart Lauchlan

@whostu

Tech journalism - the accident from which I've never recovered

Leave a Reply

  • philww says:

    dahowlett There are ways of detecting the export of this type of information and thus it could have been prevented. But not if you’re running an ‘antiquated IT system’ I guess.

  • dahowlett says:

    Given this was almost certainly an inside job, you have to wonder whether it was an expression of deep frustration at the way Morrison is conducting business rather than a malicious attempt to divulge confidential information. 
    I’m sure the miscreant will be identified – assuming Morrison keeps logfiles capable of examination – and summarily fired if they’ve not already left the building but that’s not the answer.