Morrisons has confirmed it intends to appeal a High Court ruling that it must pay compensation to thousands of staff members whose whose personal details were posted on the internet by a disgruntled employee.

It follows a security breach in 2014 when Andrew Skelton, a senior
internal auditor at the retailer's Bradford headquarters, leaked the
payroll data of nearly 100,000 employees - including their names,
addresses, bank account details and salaries - putting it online and
sending it to newspapers.

A group of 5,518 former and current Morrisons employees said this
exposed them to the risk of identity theft and potential financial loss
and that Morrisons was responsible for breaches of privacy, confidence
and data protection laws.

They are seeking compensation for the upset and distress caused.

Morrisons said it could not be held directly or vicariously liable for
Skelton's criminal misuse of the data and any other conclusion would be
grossly unjust.

Following Mr Justice Langstaff's decision on liability on Friday, Nick
McAleenan, of JMW Solicitors, said: "The High Court has ruled that
Morrisons was legally responsible for the data leak.

"We welcome the judgment and believe that it is a landmark decision,
being the first data leak class action in the UK."

The judge ruled that vicarious liability, but not primary liability, had
been established.

He said: "I hold that the Data Protection Act (DPA) does not impose
primary liability upon Morrisons; that Morrisons have not been proved to
be at fault by breaking any of the data protection principles, save in
one respect which was not causative of any loss; and that neither
primary liability for misuse of private information nor breach of
confidentiality can be established.

"I reject, however, the arguments that the DPA upon a proper
interpretation is such that no vicarious liability can be established,
and that its terms are such as to exclude vicarious liability even in
respect of actions for misuse of private information or breach of

He added: "The point which most troubled me in reaching these
conclusions was the submission that the wrongful acts of Skelton were
deliberately aimed at the party whom the claimants seek to hold
responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.

"I grant leave to Morrisons to appeal my conclusion as to vicarious
liability, should they wish to do so, so that a higher court may
consider it, but would not, without further persuasion, grant permission
to cross-appeal my conclusions as to primary liability."

Mr McAleenan said: "Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure.

"In the Morrisons case, almost 100,000 bank account details, National
Insurance numbers and other data was entrusted to a fellow employee to
look after. Instead, however, he uploaded the information to the

"This private information belonged to my clients. They are Morrisons
checkout staff, shelf stackers, factory workers - ordinary people doing
their jobs.

"The consequences of this data leak were serious. It created significant
worry, stress and inconvenience for my clients."

In July 2015 Skelton was found guilty at Bradford Crown Court of fraud,
securing unauthorised access to computer material and disclosing
personal data and jailed for eight years.

The trial heard that his motive appeared to have been a grudge over a
previous incident where he was accused of dealing in legal highs at

In a statement after the judgement, Morrisons said: "A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes.

"The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.

"Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.

"The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company. We believe we should not be held responsible so we will be appealing this judgement."