The Daily Swig Web security digest

Supermarket sweep: British retailer found liable for 2014 data leak

James Walker | 04 December 2017 at 16:19

Thousands of Morrisons employees now awaiting compensation.

In a landmark ruling, UK supermarket chain Morrisons has been found liable for the actions of a former employee who leaked the personal data of nearly 100,000 staff members.

The High Court on Friday ruled in favor of the plaintiffs, who brought a claim against the company after Andrew Skelton, a senior auditor based at the retailer’s headquarters in Bradford, leaked the payroll data of nearly 100,000 supermarket employees in 2014.

Skelton was jailed for eight years in 2015, after being found guilty of fraud, securing unauthorized access to computer material, and disclosing personal data.

Friday’s ruling means that those affected are now able to claim compensation for the “worry, stress, and inconvenience” caused by the data breach.

Commenting on the High Court decision Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represents the 5,518 claimants, said: “We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK.

“Every day, we entrust information about ourselves to businesses and organizations. We expect them to take responsibility when our information is not kept safe and secure.

“In the Morrisons case, almost 100,000 bank account details, national insurance numbers and other data was entrusted to a fellow employee to look after. Instead, however, he uploaded the information to the internet.”

A future court hearing will be scheduled to determine the compensation amount Morrisons must pay to the victims, although the retailer plans to appeal the High Court decision.

A company spokesperson said: “The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.”