Morrisons found liable for staff data breach

At the hearing of the UK's first data leak class action, the supermarket chain, Morrisons, has been found liable for the information breach caused by former employee, Andrew Skelton, back in 2014.

More than 5,000 employees brought a claim against the company after Skelton, a former auditor for Morrisons, stole their sensitive data, such as names, addresses, salary and bank details, posted the information online, and sent it to newspapers over a "personal grievance" against the company.

While Morrisons had been awarded 170,000 compensation against Skelton, the employees believed the supermarket failed to sufficiently protect their data and they deserved compensation as well.

Although Morrisons had denied liability to the claim, the judge, Mr Justice Langstaff, ruled that Morrisons was in fact liable and added that primary liability had not been established, meaning that all affected employees can claim compensation for the "upset and distress" caused.

"The High Court has ruled that Morrisons was legally responsible for the data leak. We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK," Nick McAleenan of JMW Solicitors said of the ruling, as reported by the BBC.

10/10/2017: More than 5,000 employees of Morrisons supermarket chain are suing their employer for damages following the leaking of their personal data online.

The High Court case accuses the company of failing to adequately protect the data, which was leaked by a former employee, trying to make the company responsible for the leak.

Andrew Skelton, of Water Street in Liverpool, who worked as an auditor for Morrisons, was jailed for eight years in 2015 for fraud after leaking almost 100,000 staff's personal details over a "personal grievance" against the company.

Jonathan Barnes, counsel for 5,518 former and current Morrisons employees, told the court that Morrisons had already been awarded 170,000 compensation against Skelton, according to the BBC.

Barnes added that staff "were victims too" but that they had received no compensation, calling theirs a "simple complaint" by employees who were required to provide personal data when they joined the supermarket.

"We say that, having entrusted the information to Morrisons, we should now be compensated for the upset and distress caused by what we say was a failure to keep safe that information," Barnes told the judge, the BBC reported.

The High Court will decide on whether Morrison is liable for damages. The supermarket denies liability and the case continues.

David Emm, principal security researcher at Kaspersky Lab, said that the insider threat represents one of the greatest challenges to businesses trying to stave off a constant barrage of cyber attacks.

"Employees rank at the very top of the list of threats to data and systems. Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness. When insider-assisted attacks do occur, the impact of such attacks can be devastating as they provide a direct route to the most valuable information in this case, [personnel] data," he said.

Picture: Bigstock

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.