Court of Appeal rules that supermarket is liable for rogue employee who posted salary details online
British supermarket chain Morrisons has lost its appeal against a court ruling on a data breach way back in 2014.
In December last year a High Court in Leeds ruled in favour of current and former Morrison workers in a class action lawsuit. The court found that Morrisons was ultimately responsible because employees were at risk of identity theft and financial loss because of breaches of privacy and data protection law.
But Morrisons decided to appeal that decision, and this week the court of Appeal has ruled against the supermarket, which now potentially faces having to make a multi-million pound payout.
The case centres around a damaging data breach in 2014 when disgruntled internal auditor Andrew Skelton posted personal details that included salary data online.
Skelton was jailed for eight years in 2015 for obtaining the names, addresses, bank account details and salaries of 5,518 employees and posting them online.
Skelton also sent the data to a number of newspapers who then alerted the supermarket.
“The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues,” a spokesperson told Silicon UK back in December last year.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged.
Morrisons told Silicon UK back then that even the High Court judge had been troubled that the crime was aimed at Morrisons, and “yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company. We believe we should not be held responsible so we will be appealing this judgement.”
But the supermarket has now lost that appeal and JMW Solicitors, who are representing the affected workers said that the ruling paves the way for 5,518 claimants to receive compensation.
“The Court of Appeal judgment was handed down this afternoon, with three senior Judges, including the Master of the Rolls, finding the supermarket giant legally responsible for the data leak, which the Claimants say caused significant stress and upset,” said JMW Solicitors in a statement.
“Today’s ruling paves the way for 5,518 Claimants to receive compensation for what was a significant data leak, which saw bank account details, dates of birth, National Insurance numbers, addresses and telephone numbers posted on the internet by Andrew Skelton, a disgruntled employee who had recently been disciplined by the company,” they said.
“The Court of Appeal has refused Morrisons permission to appeal to the Supreme Court.”
“This case involves a significant data leak which affected more than 100,000 Morrisons employees – checkout staff, shelf-stackers, and factory workers; hard working people on whom Morrisons’ entire business relies,” explained JMW’s Nick McAleenan.
“They were obliged to hand over sensitive personal information and had every right to expect it to remain confidential, but a copy was made and it was uploaded to the internet and they were put at risk of fraud, identity theft and a host of other problems,” said McAleenan. “Unsurprisingly, this caused a huge amount of worry, stress and inconvenience.”
“The Claimants are obviously delighted with the Court of Appeal’s ruling. The Judges unanimously and robustly dismissed Morrisons’ legal arguments. These shop and factory workers have held one of the UK’s biggest organisations to account and won – and convincingly so,” he added.
“The judgement is a wakeup call for business,” he concluded. “People care about what happens to their personal information. They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims.”
Morrisons wasn’t the only British supermarket to suffer a data breach in 2014.
That same year thousands of online Tesco customers had to have their accounts deactivated after user details were leaked and posted online.
Do you know all about security? Try our quiz!