Workers have successfully brought a claim against Morrisons supermarket after their personal data was leaked online and sent to newspapers by a former employee. The ruling of the High Court is a landmark decision, being the first data leak class action in the UK.

In 2014 a senior internal auditor at the company leaked payroll data of employees. Information regarding nearly 100,000 staff such as salary and bank details, national insurance information, addresses and phone numbers were stolen. As a consequence, a reported 5,518 employees and ex-employees of Morrisons were placed at risk of identity theft and financial loss.

The High Court held that although Morrisons did not have primary liability under the Data Protection Act 1998, it was vicariously liable for the actions of its former employee. The finding is in addition to the criminal conviction of the former employee in 2015 for fraud, securing unauthorised access to computer material and disclosing personal data, for which he received an eight year custodial sentence.

This case is a reminder to businesses to ensure that they have in place sufficiently robust and effective security controls relating to the storage of and access to data.

Morrisons has been granted permission to appeal the High Court’s decision. We will provide updates when available.