Morrisons loses payroll data breach challenge

23 October 2018

Morrisons has lost its challenge to a High Court ruling that it is liable for a data breach that saw thousands of its employees' details posted online.

In 2014 Andrew Skelton sent information about staff salaries, bank details and National Insurance numbers to several newspapers and posted it on data sharing websites, in a data breach which cost the company more than £2m to rectify.

Skelton, who had worked as a senior internal auditor at Morrisons' head office, was subsequently jailed for eight years in July 2015 at Bradford Crown Court.

In December 2015, Morrisons was awarded £170,000 in compensation from Skelton having made a legal claim for the losses which it suffered.

Since then, serving and former staff employed at Morrisons’ supermarkets and its Kiddicare, Farmers Boy and Woodhead subsidiaries lodged an application for a Group Litigation Order (GLO) in 2015, and the number of individuals demanding compensation more than doubled – from just over 2,000 to more than 5,500.

A two-week trial to determine the issue of Morrisons’ liability for the data leak took place in October 2017. Judgment was handed down on 1 December 2017 and in a landmark ruling, the Court found that Morrisons was legally responsible for the data leak.

Morrisons appealed the decision and the Court of Appeal has now upheld the original decision.


According to BBC News Morrisons has said it would now appeal to the Supreme Court.

If you need more information on GDPR then why not book onto the CIPP's GDPR traning course.