Latest News

Staff win landmark case over Morrisons data leak

By staff reporter

Supermarket chain Morrisons has been found liable for a data leak involving financial and personal data of almost 100,000 members of staff following a trial in the High Court.

Information including salaries, national insurance numbers, dates of birth and bank account numbers were among the details leaked by a former disgruntled employee – Andrew Skelton – in 2014. Skelton, who worked at the company’s headquarters in Bradford, West Yorkshire, was jailed in 2015 for his crime.

In what is the UK’s first data protection class action, over 5,500 current and former employees sued Morrisons over the breach and although the judge found that the company had provided “adequate and appropriate” controls and was unaware that Skelton posed a threat, Justice Langstaff said that secondary or vicarious liability for the actions of one of its employees had been established.

The ruling potentially paves the way for future claims and significantly increases the risk of liability and business exposure to the malicious actions of current or former employees.

Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represented the claimants in the case said: “Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure.

“In the Morrisons case, almost 100,000 bank account details, national insurance numbers and other data was entrusted to a fellow employee to look after. Instead, however, he uploaded the information to the internet. This private information belonged to my clients. They are Morrisons’ checkout staff, shelf stackers, factory workers – ordinary people doing their jobs. The consequences of this data leak were serious. It created significant worry, stress and inconvenience.”

Morrisons was granted leave to appeal the vicarious liability ruling and says it plans to do so as it does not believe it should be held responsible given the procedures it had in place and its prompt action to remove the leaked data following the breach.

    Share Story:

YOU MIGHT ALSO LIKE

Hospitality sector urges clearer government guidance and more support over pandemic next steps

2022 Predictions: A year of opportunity

2022 Predictions: FCA and Treasury will seek AR oversight improvements


BANNER

Resilience Rooted in Reality
In this podcast, CIR speaks to CLDigital’s Tejas Katwala about why organisations must move beyond checklist compliance to build living, data driven resilience. He explains how rethinking governance, risk and compliance, breaking down silos and focusing on value streams can create sustainable, real time resilience that is rooted in the way businesses actually operate today.

Building cyber resilience in a complex threat landscape
Cyber threats are evolving faster than ever. This episode explores how organisations can strengthen defences, embed resilience, and navigate regulatory and human challenges in an increasingly complex digital environment.

© 2019 Perspective Publishing     Privacy & Cookies