Andrew Skelton, a senior IT auditor at Morrisons, deliberately posted personal data – including names, addresses and bank details – of almost 100,000 Morrisons employees on the internet. He also sent the information to three newspapers. Both were in retaliation to a formal verbal warning he had received.
In the criminal proceedings (in which Mr Skelton was sentenced to eight years' imprisonment) the Recorder noted that "One would think that any sensible, reasonable person would have just put that behind them and got on with life and got on with their job. That was not your reaction".
Following the leak, over 5,500 employees brought claims against Morrisons under the Data Protection Act for misuse of private information and breach of confidence. Mr Skelton had published the personal information from his home, on his personal computer, and outside of working hours. His actions were deliberate: he had set out to harm Morrisons.
Nonetheless, the High Court held there was a sufficient connection between his employment and his wrongful conduct to find Morrison's vicariously liable for his actions. Morrisons has appealed to the Court of Appeal.
Employers should review their IT security measures and update their processes and policies. This will be necessary anyway to reflect the requirements of the GDPR.