Morrisons data leak: Thousands of staff to receive payout in landmark judgment over personal details posted online

For free real time breaking news alerts sent straight to your inbox sign up to our breaking news emails

Sign up to our free breaking news emails

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

Thousands of Morrisons staff are due a payout after a court ruled that the supermarket was liable for a huge data leak.

Lawyers for the claimants welcomed the “landmark” ruling, which could have implications for businesses across the country.

Employee Andrew Skelton leaked the payroll data of nearly 100,000 staff in 2014, including names, addresses, bank account details and salaries.

Skelton, a former senior auditor at Morrisons’ headquarters in Bradford, posted the data online and sent it to newspapers.

Morrisons had denied liability in the case, which was brought by 5,518 current and former staff. They argued that the supermarket chain was responsible for breaches of privacy, confidence and data protection laws, and sought compensation for upset and distress caused.

Their lawyers argued that the company had been awarded £170,000 in compensation against Skelton and that his other “victims” should also be compensated.

Morrisons said it was not liable either directly or indirectly for its employee’s criminal misuse of the data and argued that it had already suffered serious damage, having incurred £2m costs relating to the data breach.

The ruling could open the door for the other 94,000 people affected to bring a compensation claim, lawyers said.

Following the ruling, Nick McAleenan of JMW Solicitors, acting for the claimants, said: “The High Court has ruled that Morrisons was legally responsible for the data leak.

“We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK.”

In July 2015, Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data, and jailed for eight years.

His motive appeared to have been a grudge over a previous incident when he was accused of dealing in legal highs at work.

In October, Jonathan Barnes, counsel for the claimants, told Mr Justice Langstaff that the company had already been awarded £170,000 compensation against Mr Skelton.

He said the employees should also be compensated for the upset and distress caused by the alleged failure to keep their information safe.

Antonis Patrikios, head of cyber-security at law firm Fieldfisher, said the ruling was likely to be a “game-changer” for firms.

“What is key to remember is that despite this breach being from within their own company from a trusted employee, even when the company is the victim of criminal activity, the responsibility for keeping personal data secure and confidential still lies with the organisation that decides how the data should be used, such as Morrisons in this case,” he said.

“The key questions for organisations are: are we taking appropriate steps to protect the data and are we appropriately prepared to respond to incidents that put the data at risk”.

A Morrisons spokesperson said: “The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged.”