Out-Law / Your Daily Need-To-Know

Morrisons data leak 'a warning to companies' about importance of fraud prevention policies says expert

20 Jul 2015, 4:42 pm

The conviction of former Morrisons' auditor Andrew Skelton for leaking the personal details of supermarket employees on the internet should act as a reminder to companies to review the effectiveness of their fraud prevention policies, an expert has said.

Civil fraud and asset recovery specialist Alan Sheeley of Pinsent Masons, the law firm behind Out-Law.com, said that the breach cost the supermarket chain £2 million to rectify even before reputational damage was accounted for. It could have cost the company "millions more had it not responded to the crisis quickly and ensured the confidential data was taken down to avoid the staff being financially disadvantaged", he said.

"Nowadays, the theft of confidential data can have greater financial consequences to a company than that of the theft of money," Sheeley said.

"The case should be a warning to all companies to have in place adequate fraud prevention policies to avoid theft, whether that be of confidential data or money, and a crisis response plan should the nightmare happen. Companies need to be prepared and to have rehearsed procedures so that they can react quickly to avoid further losses," he said.

Skelton, a former senior internal auditor at Morrisons' Bradford head office, was convicted on three counts of fraud at Bradford Crown Court at the end of last week, and sentenced to eight years in prison, the BBC reported. According to the report, he leaked information including the salaries, bank details and National Insurance numbers of nearly 100,000 staff to several newspapers and public data-sharing websites, and then tried to cover it up by using the details of a colleague to set up a fake email account.

The Crown Prosecution Service (CPS) said that Skelton appeared to have been motivated by a personal grievance after he was accused of dealing 'legal highs' at work.

"The potential loss to his victims and the sheer quantity of potentially compromised data was very significant and could have resulted in employees' identities being stolen," David Holderness from the CPS said. "The sentence imposed … sends out a very clear message that we will robustly prosecute serious fraudsters such as Skelton who believe they are above the law."

In a statement, Morrisons' said that it had offered identity theft protection to all affected employees "at a significant cost to the company" following the data breach.