Lawyers for thousands of current and former Morrisons staff have welcomed a “landmark” High Court ruling that the supermarket was partly liable for a data breach that saw their details posted online.
The case, which could have implications for every individual and business in the country, comes after the breach affecting 100,000 employees in 2014.
Morrisons said it planned to appeal.
The ruling concerns liability and, if it stands, any compensation will have to be assessed at a later date.
Andrew Skelton, a senior internal auditor at the retailer’s headquarters in Bradford, leaked the workers’ payroll data, including names, addresses, bank account details and salaries, by posting it on the internet and sending it to newspapers.
Skelton was later jailed for eight years in 2015 after a trial heard he appeared to have been motivated by a grudge against the company.
A group of 5,518 former and current Morrisons employees said this exposed them to the risk of identity theft and potential financial loss.
They claimed that Morrisons was responsible for breaches of privacy, confidence and data protection laws, and are seeking compensation for upset and distress caused.
Their lawyers argued that the company had been awarded £170,000 in compensation against Skelton and that his other “victims” should also be compensated.
But the supermarket said that it could not be held liable either directly or indirectly for Skelton’s criminal misuse of the data and that any other conclusion would be grossly unjust.
It also argued that it had already suffered serious damage, having incurred £2m costs relating to the data breach.
The judge, Mr Justice Langstaff, ruled that “vicarious” or indirect liability, but not primary liability, had been established.
However, he said he was “troubled” that in reaching his finding against Morrisons he might be helping Skelton “in furthering his criminal aims”.
He therefore granted Morrisons leave to appeal.
Nick McAleenan, of JMW Solicitors, representing the claimants, said: “The High Court has ruled that Morrisons was legally responsible for the data leak.
“We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK.”
A Morrisons spokesman said: “The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged.
“In fact, we are not aware that anybody suffered any direct financial loss.
“We believe we should not be held responsible so we will be appealing this judgment.”