Morrisons Data Breach – The Implications

Nicola Mullineux

Nicola Mullineux


31 Oct 2018


The recent case against Morrisons due to a data breach by one of its employees has far-reaching implications.

Where did this all start?

This all began in 2014, when an internal auditor at Morrisons posted the private data of more than 100,000 employees online. He was subsequently jailed for eight years. Following the result, over 5,000 affected employees brought a case against Morrisons itself, seeking compensation for the breach and the resulting impact it had on their lives.

The retailer argued that it was not liable for criminal misuse of the employees’ data.

After a long, gruelling period, the Court of Appeal upheld the judgement, and found Morrisons vicariously liable for the leak. Since the decision has been made, the retailer has said it will be taking the case to the Supreme Court.

What are the implications?

The leak of employee data was a direct attack against the company by a disgruntled employee, and from the company’s perspective, they may have thought they did all that was required of them to protect employees’ data. As the auditor was required to work with sensitive data, there was seemingly little they could do to restrict his access to it. However, this ruling states that the responsibility for keeping data secure falls to the organisation itself, meaning the employer is liable even if measures are in place to protect employee data.

Naturally, this has troubling implications for employers across the country who will now be wondering where they stand, and if this will bring an onslaught of claims relating to personal data against them.

The ruling will be challenged by Morrisons, meaning it may shift in the other direction, however as it stands, it is worth reviewing your privacy policies, your data protection policies and more to ensure you are doing all you can to avoid potential issues. The best defence is ensuring a breach doesn’t happen in the first place.

Start implementing this defence during the onboarding process with a new employee. Conduct background checks, and limit access to sensitive data from an early stage. If you haven’t already, have a clear company policy, and offer compliance training to everyone. When an employee leaves the company, make sure all accesses are revoked, data is removed, etc. Finally, ensure remote access to all work devices so data can be secured at a moment’s notice.

Expert Support

If you need expert advice on GDPR implications for employee data, or are concerned about your data protection policies, speak to a Croner expert on 0808 145 3385

About the Author

Nicola Mullineux

Nicola Mullineux, as Group Content Manager, leads a team of employment law content writers who produce guidance and commentary on employment law, case law and key HR developments. She has written articles for national publications for over 10 years and regularly helps to shape employment of the future by taking part in Government consultations on employment law change.


Nicola Mullineux

Do you have any questions?

Get a free callback from one of our regional experts today