The supermarket issued a release in which they claimed no member of staff would be financially disadvantaged by the breach. But Nuala OSullivan, senior lecturer at Westminster Business School, said she didn't believe this was an assertion Morrisons could confidently make.
O'Sullivan cited several ways in which the company may have to cover employees' expenses.
"Those suffering identity theft lose their own credit rating and may not be eligible for a mortgage, to study or move abroad or to act as guarantor for minors," O'Sullivan said. "Morrisons is very generously offering to cover all of these eventualities without recognising the parameters of unintended consequences."
Morrisons CEO Dalton Philips is leading the response to the incident. He said the company was taking several steps in the wake of the theft. These include working closely with the cyber crime unit and police to identify the source of the theft and urgently reviewing the company's data protection policies to prevent a repeat in the future.
O'Sullivan said the effects of the breach might be more wide reaching than just financial. The company may have breached the Health and Safety Act of 1998, which lays out an employer's duty of care to its employees.
"Stress may be aggregated from many areas, but this exposure may prove to be the tipping point," she said.