How about losing the bank account details of 100,000 of your own staff and finding published on the internet in a massive data hack that grabbed names, addresses, bank account numbers and salaries of employees across the business – including board members?
That was the latest turn of events for beleaguered UK supermarket chain Morrisons. Last week we looked at how the retail giant had neglected to invest in IT or in the development of multi-channel capabilities and ended up reporting heavy losses in an increasingly competitive market, a grim warning to retailers all around the world.
With analysts questioning the firm’s decision to invest heavily in online shopping and in creating a loyalty card scheme - which has been beyond the capabilities of the firm’s ageing IT - the last thing thing that Morrisons needed was news to break of a massive data security breach.
In a further humiliation, a computer disk and a note was sent to the media claiming to come from a “concerned Morrisons customer” who came across the data “by accident”. The note said of Morrisons:
“I do wonder if their recent venture online has come too soon for them. If they can’t look after their own people’s data, what chance does their customer’s data stand?”
Morrisons removed the information from the web within hours while informing banks of the security breach which in a further twist appears to have originated from within the organisation.
The firm said:
“Initial investigations suggest this was not the result of an external penetration of our systems.”
No customer data is believed to have been compromised, Morrisons said, and work will be done to ensure that employees will not be "financially disadvantaged".
CEO Dalton Philips has ordered an urgent review of security while a spokesman for the Information Commissioner said: “We have been made aware of a potential data breach, and we will be making enquiries.”
Meanwhile Morrisons faces the tricky question of how to manage its employees outrage at the problem. It emailed everyone on the internal mail system and of course in true 2014 style it took to Facebook with a letter to staff, also visible in the public domain.
The letter stated:
"We are extremely sorry to inform you that there has been a theft of colleagues' personal information, which was uploaded onto a website.
"As soon as we became aware of this last night we took immediate steps to ensure the data was removed from the website. It was closed down within hours of us being notified.
"The information included names, addresses and bank account details of colleagues. This affects colleagues from all levels of the organisation.
"Our immediate priority is the security of your financial information. We are currently working with Experian and the major banks to ensure that we provide full support and assistance to all affected colleagues. This will include support and advice around protection of your bank account."
"We are very sorry that this has happened. We will ensure that no colleague will be left financially disadvantaged as a result of this theft."
All of which seems like decent enough HR. But as ever social media proved to be a double edged sword with irate staffers complaining that they hadn’t been contacted directly.
And if Morrisons hoped that it would be seen to be taking a personal interest in the evolving crisis then parroting the same ‘party line’ to every angry staff member probably wasn’t the best move in the world:
There was no customer data involved this time it seems.
But I’d think twice about handing over my information as a Morrisons customer until I was convinced that the seeming insider who leaked his or her colleagues personal data wasn’t within a million miles of mine!
None of this makes Morrisons prospects look any the brighter at the end of what has undoubtedly been a lousy week for the supermarket.