Morrisons loses data leak appeal

The supermarket could face a hefty compensation bill after the high court ruled it is liable for 2014 data leak by a disgruntled employee

Morrisons building

Morrisons could face a massive compensation bill after a high court upheld its original decision that the supermarket was liable for a data breach by a former employee.

The ruling, which paves the way for 5,518 members of staff to claim compensation, was originally made in December 2017 after disgruntled former employee Andrew Skelton stole the data of 100,000 Morrisons employees. This information included salary and bank details.

The supermarket failed to get the decision overturned at an appeal and is now facing a hefty compensation bill.

"The judgment is a wake-up call for business. People care about what happens to their personal information," said Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who is representing the workers.

"They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims. It's important to remember that data protection is not solely about protecting information -- it's about protecting people."

Morrisons said it had worked to get the data taken down quickly, provided protection for the colleagues affected and reassured them that they would not suffer any financial disadvantaged. So far, it has not been reported that any employee has suffered due to the breach and the supermarket believes it should not be held responsible. 

"A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he's been found guilty for his crimes," said a spokesperson for Morrisons.

"Morrisons has not been blamed by the courts for the way it protected colleagues' data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues."

For Lesley Holmes, data protection officer at MHR, this case is a salutary tale where an employer is held liable for the actions of a disgruntled employee who had been trusted with the personal data of their colleagues.

"This case highlights the levels of technical and organisational controls that need to be in place even in the most trusted parts of your business to ensure that personal data is not stolen or otherwise misused," she said.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?

Should IT departments call time on WhatsApp?

15 Jan 2021