Morrisons could be forced to hand out “vast” sums of compensation to thousands of its staff affected by a data breach after losing a key court ruling today.
The “Big Four” supermarket had appealed against an earlier decision that it was responsible for a leak of more than 100,000 employees’ personal information, including national insurance numbers, bank details and telephone numbers by a member of staff.
But the Court of Appeal upheld the original ruling, which was meted out in December last year.
It denied Morrisons an immediate appeal to the Supreme Court but the retailer now intends to pursue one independently.
The case is the first ever class action over a data leak in the UK and is being pursued by 5,518 Morrisons workers led by solicitors JMW.
Morrisons’ legal representative, Anya Proops QC, previously warned that if the claim is successful then it could lead to “compensation claims on a potentially vast scale”.
Andrew Skelton, an internal auditor, leaked the data online and to several newspapers in 2014 after being disciplined for running an ecommerce business out of the company’s mailroom at its Bradford headquarters. He was jailed for eight years in 2015.
JMW’s Nick Aleenan said the leak had caused a “huge amount of worry, stress and inconvenience” and the ruling should serve as a “wake-up call for business”.
He said: “People care about what happens to their personal information. They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims.”
A spokesman for the supermarket chain said: “Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.”
Morrisons is unaware of any workers who have “suffered any direct financial loss”, he added.