Morrisons data leak – Thousands to receive compensation payouts in landmark judgement.
| Retail giant appeals against compensation judgement.

Morrisons is appealing against a landmark data breach case, after a court found the firm to be “vicariously liable”.

Last year, the High Court ruled that the retailer was liable for the release of personal information of 100,000+ employees. The data included names, addresses, phone numbers, dates of birth, salaries and bank account details.

Andrew Skelton, a former employee, posted sensitive information about his colleagues on the internet. Skelton was employed as a senior auditor at Morrisons’ HQ in Bradford. He was found guilty and was sentenced to eight years in prison for his actions.

Morrisons data leak - compensation judgement

Who is liable for Morrisons data leak?

Although the court ruled that Morrisons was not “directly liable”, it was “vicariously liable” for the actions of its former employee.

Morrisons denied liability in the case, which was brought by current and former employees of the supermarket chain. The prosecution argued that the firm was responsible for breaches of personal privacy and data protection laws. Compensation is sought for the upset and distress caused to 5,518 current and former employees.

Morrisons claimed it was not liable for an employee’s criminal misuse of the data. It argued that it had already suffered considerable damage, having incurred £2m in costs relating to the breach.

A spokesperson for Morrisons said:

A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes. A judge previously found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.

Morrisons is seeking to reverse the ruling of what was the UK’s first class action data breach case. The firm denies all legal responsibility, leaving claimants without any compensation.

Nick McAleenan, data privacy law specialist at JMW Solicitors, representing the claimants, said:

This is a classic David and Goliath case – the victims here are shelf stackers, checkout staff and factory workers; just ordinary people doing their jobs…

Editor’s comment: The Morrisons data leak is among a growing number of alarming cases where personal data has been leaked.  Data leaks, or data breaches are occuring not only as result of criminal activity. There are many other causes of serious events such as the Morrisons data leak case.  Lack of controls, data storage failure, negligence and poor data management processes can cause distress, brand damage, and hefty fines.

Post a comment about this case in the box below.

Sources:  Information Commisioner’s OfficeRetail Gazette,

Leave a Reply