Supermarket chain Morrisons has been asked to pay compensation to 5,518 current and former employees whose personal and financial details were published online by a former staff member.
Morrisons was previously awarded £170,000 in compensation but did not pass on any compensation to affected employees whose personal details were leaked.
Back in 2014, to settle an old grudge against his employer, Andrew Skelton, an internal auditor at Morrisons’ Bradford office, leaked personal and financial information of nearly 10,000 Morrisons staff on the web. To mitigate the breach, Morrisons spent over £2 million in the next few months.
Compromised data included names, NI numbers, birth dates and bank account details of nearly 10,000 current and former Morrisons staff. Skelton was sentenced to 8 years after being found guilty of leaking personal details of Morrisons employees, and Morrisons was also awarded £170,000 in compensation by the court.
However, affected employees whose personal and financial information were made public by Skelton received no compensation in the years that followed. As a result, 5,518 current and former staff had to sue Morrisons for failing to compensate them for the distress they suffered following the leak. They told the Court that Morrisons was squarely responsible for breaches of privacy, confidence and data protection laws, as well as for exposing them to identity theft.
“We say that, having entrusted the information to Morrisons, we should now be compensated for the upset and distress caused by what we say was a failure to keep safe that information,” said Jonathan Barnes, counsel for the employees.
According to the BBC, the High Court in Leeds has now found Morrisons vicariously liable for Skelton’s actions and has directed the supermarket to pay compensation to the affected employees.
‘This private information belonged to my clients. They are Morrisons checkout staff, shelf stackers, factory workers – ordinary people doing their jobs. We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK,’ said Nick McAleenan of JMW Solicitors who represented the affected employees.
Morrisons said it will appeal against the verdict as it had incurred significant expenses to minimise the damage caused by the breach. However, a second trial will determine the amount of compensation Morrisons will have to pay to the affected employees. Nevertheless, the ruling is quite significant when viewed in terms of data security and employer liability.
‘The High Court’s decision to hold Morrisons responsible for the leaking of employees’ personal information is the latest sign of the shifting tide when it comes to accountability. Many businesses will be watching with interest to see the extent of the damages Morrisons will be liable to pay out – but the fact is that, with or without fines, accountability needs to be front of mind for all organisations,’ says Andre Stewart, VP EMEA at Netskope.
‘With more and more data stored off-premise, businesses must be prepared to take steps to secure corporate data wherever it may be. Cloud services are built to be accessed anytime, anywhere, from any device, and as most are designed for easy collaboration and data sharing, there is a real risk of accidental or intentional data exposure.
‘Once IT understands the cloud services in use and how they are being used, controls can be put in place to minimise users’ risky cloud activities and detect suspicious behaviour that could indicate a malicious insider. With granular visibility and control of all cloud services, IT can both mitigate the risk of insider threats and strengthen the company’s GDPR compliance stance,’ he adds.