In 2014, the personal details of thousands of Morrison’s staff including salaries, bank account details and home addresses were stolen and published online.
At the time, Morrisons said that all the staff details published were put on an unspecified location on the web for a few hours and were taken down immediately when they were discovered. It said in a statement: “We can confirm there has been no loss of customer data and no colleague will be left financially disadvantaged.” It was working with police to identify the source of the theft.
The hacker posted the information – including names, addresses, bank account details and salaries – online and sent it to newspapers.
It turned out that it was an employee, Andrew Skelton, who had posted the data online. He was caught and jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.
However, Morrisons faced a huge payout to staff whose personal data were posted on the Internet after workers brought a claim against the company for “upset and distress”.
The High Court ruling that Morrisons is liable for the data breach then the Court of Appeal upheld the original decision against the supermarket. Morrisons said it would now appeal to the Supreme Court.
This case is the first data leak class action in the UK.
Morrisons had argued that it could not be held liable for the criminal misuse of its data, but three Court of Appeal judges rejected the company’s appeal, saying they agreed with the High Court’s earlier decision.
They said Morrisons was “vicariously liable for the offences committed by Mr Skelton against the claimants”.
Skelton was given eight years in prison for fraud, securing unauthorised access to computer material and disclosing personal data at a criminal trial in 2015.
The case continues.
If you have any experiences with scammers, spammers or time-waster do let me know, by email.