Morrisons staff sue over payroll insider security breach in 2014

Where there's a blame, there's a claim

Some 2,000 staff at Morrisons, whose banking and personal information were exposed in an insider breach in March 2014, are to sue the company.

It follows a hearing in the High Court in London earlier this week, in which staff were given leave to pursue their case by senior master Barbara Fontaine at the Queen's Bench Division. The case will return in four months time, during which more staff could join the class action - out of a total of 100,000 employed by Morrisons at the time of the breach.

Morrisons' payroll data was leaked and published on the internet in March 2014. A disgruntled employee, Andrew Skelton, was later arrested and prosecuted for offences under the Computer Misuse Act and the Data Protection Act. Skelton was jailed for eight years in July following a trial at Bradford Crown Court.

The payroll data exfiltrated by Skelton included staff salary details, their national insurance numbers and bank details. The information was sent to several newspapers and posted on websites like Pastebin, where it could be taken and used by fraudsters. According to Morrisons, the breach cost it more than £2m.

At the trial, it was claimed by the Crown Prosecution Service that Skelton harboured a grudge against the company after being disciplined over dealing in "legal highs" at work.

Nick McAleenan, a data privacy lawyer at JMW Solicitors, claimed that Morrisons staff had every right to sue: "Whenever employers are given personal details of their staff, they have a duty to look after them.

"That is especially important given that most companies now gather and manage such material digitally and, as a result, it can be accessed and distributed relatively easily if the information is not protected."

He continued: "My clients' position is that Morrisons failed to prevent a data leak which exposed tens of thousands of its employees to the very real risk of identity theft and potential loss.

"In particular, they are worried about the possibility of money being taken from their bank accounts and - in the case of younger clients - negative consequences for their credit rating."

Other Morrisons staff wishing to join in have four months in which to fill in a form on the website of law firm JMW.

"I expect that we may well see other employees who might have been dissuaded from making a claim on their own deciding to join with their colleagues because of the group momentum which has now been established," added McAleenan.