Morrisons found liable in 'landmark' data leak trial involving thousands of employees

Over 5,000 Morrisons employees are set to receive compensation over a breach of data security which occurred in 2014.

A former senior internal auditor at the supermarket’s’ Bradford headquarters posted payroll information of nearly 100,000 staff on the internet.

The leak also included the staff members’ bank, salary and National Insurance details, addresses and phone numbers.

During the conclusion of the data leak trial today (December 1st), the High Court found Morrisons accountable for the actions of former employee, Andrew Skelton. The judge, Mr Justice Langstaff, ruled that Morrisons was “vicariously liable” for the leak of its employees’ information.

Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, represented the 5,518 claimants.

Commenting on today’s decision in the Morrisons data leak trial of liability, Nick said: “The High Court has ruled that Morrisons was legally responsible for the data leak.

“We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK.

“Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure.

“In the Morrisons case, almost 100,000 bank account details, national insurance numbers and other data was entrusted to a fellow employee to look after. Instead, however, he uploaded the information to the internet.

“This private information belonged to my clients. They are Morrisons’ checkout staff, shelf stackers, factory workers – ordinary people doing their jobs.

“The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients.

“Data breaches are not a trivial or inconsequential matter. They have real victims. At its heart, the law is not about protecting data or information – it is about protecting people.”

Morrisons, which denies liability, has said it will appeal the decision.

Morrisons released a statement on the High Court’s decision, which said: “A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes.

“The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.

“The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company. We believe we should not be held responsible so we will be appealing this judgement.”