In a test case that has been billed as Britain’s “biggest claim for breach of data security”, more than 2,000 people are alleging that Morrisons was ultimately responsible for serious breaches of privacy, confidence and data protection law, reports The Times.
The lawsuit stems from an incident last year when Andrew Skelton, a disgruntled former internal auditor at the chain, posted online a spreadsheet of financial details of nearly 100,000 staff. Information that he leaked to newspapers and an online file-sharing site included salaries, national insurance numbers, bank account details and dates of birth. Skelton was jailed for eight years in July. The details that he leaked were online for less than 24 hours before Morrisons took them down, but the breach and subsequent remedies have cost the grocer about £2 million.
Nick McAleenan, a data privacy lawyer with JMW Solicitors, which is representing the employees, said the case had important implications for “every employee and every employer” in the country.
Details of the Morrisons employees’ claim comes as TalkTalk, the telecoms company, deals with a security event that led to the theft of details belonging to four million customers. It also comes as companies are becoming more focused on their cybersecurity. Last week, Sony Pictures Entertainment agreed to pay up to $8 million to resolve a lawsuit by employees who claimed that their personal data had been stolen last year in hacking tied to the release of The Interview, a film that satirised the leadership of North Korea.
Mr McAleenan said: “Whenever employers are given personal details of their staff, they have a duty to look after them. That is especially important given that most companies now gather and manage such material digitally and, as a result, it can be accessed and distributed relatively easily if the information is not protected.
“My clients’ position is that Morrisons failed to prevent a data leak, which exposed tens of thousands of its employees to the very real risk of identity theft and potential loss. In particular, they are worried about the possibility of money being taken from their bank accounts and — in the case of younger clients — negative consequences for their credit rating.”
It is understood that JMW has been making contact with Morrisons employees through social media and has attracted numerous clients.
There will be a four-month period during which other employees who believe they were affected by the data breach can join the group action. Anyone who worked at Morrisons, its Farmers Boy subsidiary or its former Kiddicare business before November last year could potentially be able to join the claim.
If any part of the claim is upheld, the court could determine that Morrisons must provide financial compensation.
A spokesman for Morrisons said: “We are contesting this case. We are not accepting liability for the actions of a rogue individual. We can confirm that we are not aware that anybody suffered any financial loss from this breach.”