Britain's fourth-largest supermarket, Morrisons, is scrambling to tell employees that the staff payroll system has been raided.
Here's part of the message emailed to all Morrisons workers (or at least to those who have company email addresses; not all do, as loads of steaming comments make clear) on Friday morning, reposted on its Facebook page:
We are extremely sorry to inform you that there has been a theft of colleagues’ personal information, which was uploaded onto a website. As soon as we became aware of this last night we took immediate steps to ensure the data was removed from the website. It was closed down within hours of us being notified.
- This was an illegal theft of data.
- It can no longer be accessed on the website.
- We are liaising with the police and highest level of cyber crime authorities.
The information included names, addresses and bank account details of colleagues. This affects colleagues from all levels of the organisation.
Beyond being posted on a website, the data was also sent on a disc to a newspaper, according to Reuters.
Reuters quoted further details that Morrisons provided outside of its Facebook post, which possibly suggests it was an inside job:
Initial investigations suggest that this theft was not the result of an external penetration of our systems.
We can confirm there has been no loss of customer data and no colleague will be left financially disadvantaged.
The supermarket said it's working with Experian and major banks to provide support and advice to protect employees' bank accounts.
It's also setting up a helpline for the outpouring of questions - the Facebook page had over 800 comments and 2000 shares within a few hours of posting - and promised to post an update later today.
Morrisons has already set up a dedicated email address to handle the questions: firstname.lastname@example.org.
As comments to the company's Tweet about the news show, many employees are complaining about not being contacted or about getting no response from the dedicated email address.
Judging by the Facebook and Twitter streams, Morrisons managers must feel like their heads will explode as they deal with a torrent of worry on the employee side, along with an investigation, cyber forensics, and the securing of systems on the CIT side.
In spite of its understandable flusteration, the company is promising to take care of employees:
We are taking this extremely seriously. [CEO] Dalton Philips is leading the response.
We are very sorry that this has happened. We will ensure that no colleague will be left financially disadvantaged as a result of this theft.
We don't know if Morrisons had any disaster plans in place for cyber emergencies but it's something all businesses should have, just as they do for electrical outages or other disasters.
A decent plan would include, of course, how to communicate a breach with every employee.
Posting it on Facebook and Twitter is one approach to get to those without a corporate email account, but it's obviously not foolproof, as many Morrisons employees have said in the wake of the breach.Follow @NakedSecurity