[BreachExchange] Morrisons launches appeal to landmark data breach ruling

Destry Winant destry at riskbasedsecurity.com
Mon Oct 8 21:05:51 EDT 2018


Morrisons is set to begin its appeal against a landmark data breach
case in which it was found to be “vicariously liable”.

Tomorrow the retailer will begin its appeal against a High Court
ruling from December 2017 which found it legally responsible for a
data breach which saw 100,000 staff members’ bank account details,
dates of birth, salary information, national insurance numbers,
addresses and phone numbers leaked to the internet.

The 2014 breach saw disgruntled senior internal auditor Andrew Skelton
upload the staff members’ details to data sharing websites.

Though Skelton received eight years in prison for his actions, the
court ruled that Morrisons was not “directly liable” but was
“vicariously liable” for the actions of its employee.

Morrisons is seeking to reverse the ruling of what was the UK’s first
class action data breach case, denying all legal responsibility and
leaving claimants without any compensation.

5518 claimants are currently  seeking compensation from the grocer
over the 2014 data breach.

Although Morrisons has already paid out income protection measures,
the claimants argue they deserve compensation as they were caused
significant stress due to being exposed to the risk of identity fraud
and financial loss.

If Morrisons is unsuccessful in reversing the ruling, a ‘quantum’
trial will follow to assess how much the victims will receive in

“This is a classic David and Goliath case – the victims here are shelf
stackers, checkout staff and factory workers; just ordinary people
doing their jobs,” JMW Solicitors data privacy law specialist Nick
McAleenan, who is representing the claimants, said.

“They were obligated to hand over sensitive financial and personal
information to Morrisons – including national insurance numbers, dates
of birth and bank account details – and had every right to expect that
information to be kept confidential.

“Instead of recognising the impact on its employees, of what was a
very serious data breach, Morrisons now seeks to avoid legal
responsibility and protect its £374m annual profits – and despite the
receipt of its own compensation to the tune of £170,000.”

More information about the BreachExchange mailing list