Court of Appeal finds Morrisons liable for data breach

Court of Appeal for a data breach that exposed the personal details of thousands of staff.

The original ruling made in December of last year by the High Court found Morrisons vicariously responsible for the incident, a decision that was today upheld in London.

The initial breach was caused in 2014, when a vengeful staff member gained unauthorised access into his former employer’s database and posted the private details of nearly 100,000 staff online as well as to newspapers.

The perpetrator, Andrew Skelton, had been embroiled in accusations of dealing illegal high drugs in the workplace and manufactured the data leak in an act of revenge.

The former senior internal auditor for Morrisons denied three counts of fraud at the time, but was found guilty and sentenced to eight years in prison in 2015. His actions cost the supermarket chain more than £2m to put right.

This, the UK’s first class action lawsuit for a data leak, will now be appealed in the Supreme Court, Morrisons says, knowing that failure will allow the leak victims to claim huge amounts in compensation for the disruption suffered.

Arguing in the Court of Appeal, Morrisons rejected the notion that it could be held liable for Skelton’s criminal misuse of data, a view dismissed by the Court of Appeal judges who said their agreement lay with the High Court’s decision.

The verdict found Morrisons “vicariously liable for the torts committed by Mr Skelton against the claimants,” the BBC news website reports.

In representation of the claimants, Nick McAleenan of JMW Solicitors spoke of his delight at the outcome.

“These shop and factory workers have held one of the UK’s biggest organisations to account and won – and convincingly so,” he said.

“This latest judgement provides reassurance to the many millions of people in this country whose own data is held by their employer.”

After the hearing, Morrisons said:

“A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes.

“Morrisons has not been blamed by the courts for the way it protected colleagues’ data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/