Staff win landmark case over Morrisons data leak

Supermarket chain Morrisons has been found liable for a data leak involving financial and personal data of almost 100,000 members of staff following a trial in the High Court.

Information including salaries, national insurance numbers, dates of birth and bank account numbers were among the details leaked by a former disgruntled employee – Andrew Skelton – in 2014. Skelton, who worked at the company’s headquarters in Bradford, West Yorkshire, was jailed in 2015 for his crime.

In what is the UK’s first data protection class action, over 5,500 current and former employees sued Morrisons over the breach and although the judge found that the company had provided “adequate and appropriate” controls and was unaware that Skelton posed a threat, Justice Langstaff said that secondary or vicarious liability for the actions of one of its employees had been established.

The ruling potentially paves the way for future claims and significantly increases the risk of liability and business exposure to the malicious actions of current or former employees.

Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represented the claimants in the case said: “Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure.

“In the Morrisons case, almost 100,000 bank account details, national insurance numbers and other data was entrusted to a fellow employee to look after. Instead, however, he uploaded the information to the internet. This private information belonged to my clients. They are Morrisons’ checkout staff, shelf stackers, factory workers – ordinary people doing their jobs. The consequences of this data leak were serious. It created significant worry, stress and inconvenience.”

Morrisons was granted leave to appeal the vicarious liability ruling and says it plans to do so as it does not believe it should be held responsible given the procedures it had in place and its prompt action to remove the leaked data following the breach.

    Share Story:

YOU MIGHT ALSO LIKE


The Future of Risk & Resilience with AI & Data
CLDigital's Co-Founder, Tejas Katwala, joins CIR Magazine to discuss how CLDigital is transforming enterprise risk and resilience. By integrating business processes, AI and data-centric strategies, organisations can move beyond compliance to proactive risk management – simplifying operations, strengthening resilience, and driving business performance. Listen now to explore the future of intelligent risk management.

Investec is disrupting premium finance – Podcast
Investec made waves in entering the premium finance market, where listening and evolving in response to brokers made a real difference.

Advertisement