Staff win claim over major Morrisons data breach
Thousands of Morrisons staff are to be awarded compensation in relation to a data breach that lead to their details being published online. The retailer’s former auditor Andrew Skelton was jailed for eight years in 2015 for fraud after leaking details of nearly 100,000 staff, which included names, addresses, salary and bank account details. Skelton had a personal grievance against the grocery giant but the High Court found that the buck stopped with the employer, not the employee.
A group of 5,518 former and current Morrisons employees said this exposed them to the risk of identity theft and potential financial loss. Their lawyers argued that the company had been awarded £170,000 in compensation against Skelton and that his other "victims" should also be compensated. A second trial will be held to determine the amount Morrisons must pay in damages.
"A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes," a spokesperson for the supermarket said. "The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues. Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company. We believe we should not be held responsible so we will be appealing this judgement."
Nick McAleenan of JMW Solicitors, who represented the claimants, said: “Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure. The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients. Data breaches are not a trivial or inconsequential matter. They have real victims. At its heart, the law is not about protecting data or information – it is about protecting people."