Morrisons could be forced to pay compensation to workers whose data was stolen and leaked online by a former employee in 2014.
Internal auditor Andrew Skelton was jailed for eight years in 2015 for obtaining the names, addresses, bank account details and salaries of 5,518 employees and posting them online.
Skelton also sent the data to a number of newspapers who then alerted the supermarket.
However a class action lawsuit on behalf of those affected claimed Morrisons was ultimately responsible because employees were at risk of identity theft and financial loss because of breaches of privacy and data protection law.
A High Court in Leeds has agreed, paving the way for a potential compensation claim.
“We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK,” said JMW Solicitors, who are representing the workers.
“Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure. The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients.
“Data breaches are not a trivial or inconsequential matter. They have real victims. At its heart, the law is not about protecting data or information – it is about protecting people.”
Does IoT security concern you?
Morrisons is not aware of any employees losing any money as a result of the breach and offered anti-fraud services in the aftermath. It is expected to appeal the decision.
“The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues,” a spokesperson told Silicon.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged.
“The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company. We believe we should not be held responsible so we will be appealing this judgement.”
Do you know all about security in 2017? Try our quiz!
Trolls beware. Twitter releases feature that will deliver a 'reconsider prompt' for users, if they…