By Mark Fairlie.
15/10/2018 – the headline originally published for this article was ‘Morrisons lose staff data breach compensation claim’ which was both inaccurate and misleading. We apologise for any inconvenience this may have caused.
On Tuesday, Morrisons launched an appeal against a legal ruling awarded against it by the High Court that judged that it was liable for the leaking of over 100,000 employees’ personal and financial records onto the Internet by a disgruntled member of staff.
Once the breach was uncovered, Morrisons’ management spent over £2m to handle the breach.
Andrew Skelton was found guilty of fraud in 2015 and sentenced to eight years in jail, according to the Yorkshire Post.
Skelton, a senior auditor at the supermarket chain, had been accused of dealing “legal high” drugs to colleagues at work. During their investigation into the data breach, the Police discovered a letter from Skelton in which he detailed his “scant regard for the firm” and that his “anger and frustration” over disciplinary proceedings related to the use of the staff mailroom to conduct eBay transactions “had not diminished”.
The Register reports that Skelton published Morrisons’ entire payroll database details online using the “anonymising network Tor” and also sent copies of the database to local newspapers.
The database included employees’ names, addresses, National Insurance numbers, and bank account details. When posting the database online, Skelton used a colleague’s details to set up a fake email account in an attempt to “implicate” him for the crime.
JMW Solicitors brought a case to the High Court on behalf of 5,518 current and former staff over the data leak. Their case was successful, the judges ruling that Morrisons was “vicariously liable” for their rogue employee’s action.
As reported in the Independent, Morrisons was awarded £170,000 in compensation over the incident. Current and former staff, the counsel for the claimants argued, “should also be compensated for (their) upset and distress”.
A Morrisons representative told Reuters that it reacted quickly in successfully removing the data from the internet, it gave affected staff a guarantee of protection and offered reassurance that they would not be financially disadvantaged in any way. The supermarket was also unaware that any of the affected employees had actually suffered any financial loss.
The judge granted the supermarket leave to appeal because he was concerned that his judgement “could render the court an accessory to furthering Skelton’s aim of damaging Morrisons”.
Speaking to TechGuard, cybersecurity consultant Antonis Patrikios said that the outcome of the appeal was a “game changer” for companies.
“Even when the company is the victim of criminal activity, the responsibility for keeping personal data secure and confidential (would) still [lie] with the organisation that decides how the data should be used, such as Morrisons in this case”.
The claimants’ solicitors argue that, if Morrisons were not found responsible, natural injustice would be denied to employees who were the victims of a data breach, whether or not that breach was caused by criminal activity of the perpetrator(s).