> series: anatomy_of_a_breach —— part: 063 —— target: wm_morrison —— records: 100,000_employees —— legal_precedent: employer_liability<span class="cursor-blink">_</span>_
In January 2014, Andrew Skelton — a senior internal auditor at Wm Morrison Supermarkets — used his legitimate access to payroll data to copy the personal details of approximately 100,000 Morrison's employees. The stolen data included names, addresses, phone numbers, dates of birth, bank account details, National Insurance numbers, and salary information. Skelton posted the data on file-sharing websites and sent copies to three UK newspapers, which immediately alerted Morrison's rather than publishing.
Skelton had a personal grudge against Morrison's — he had previously received a verbal warning for minor misconduct and perceived the company as having treated him unfairly. His data theft was an act of deliberate revenge. He was arrested, convicted under the Computer Misuse Act and the Data Protection Act, and sentenced to eight years in prison. But the case's most significant impact was not criminal — it was civil. Affected employees launched a group action against Morrison's, and the case eventually reached the Supreme Court, which in 2020 ruled that Morrison's was vicariously liable for Skelton's actions — establishing the principle that employers can be held responsible for data breaches caused by rogue employees acting within the scope of their employment.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallThe Morrison's case established a landmark legal principle in UK data protection law: an employer can be vicariously liable for a data breach committed by an employee, even if the employee acted deliberately and maliciously, provided the employee was acting within the broad scope of their employment when they accessed the data. The Supreme Court ultimately ruled in Morrison's favour in 2020, overturning the earlier Court of Appeal decision — but the case established the legal framework within which employer liability for insider data breaches would be assessed going forward.
The Morrison's case transformed insider threat controls from a security best practice into a legal risk management requirement for every UK employer. If an employee can bulk-export personnel data without detection, and that data is subsequently misused, the employer may face both regulatory action from the ICO and civil liability from affected individuals. The cost of implementing data loss prevention and behavioural monitoring is a fraction of the cost of defending a group action from 100,000 affected employees.
Cyber Essentials certification establishes baseline access controls. Our penetration testing includes insider threat scenarios — testing what an authorised user can access and export. SOC in a Box provides the continuous behavioural monitoring and data loss prevention that detects bulk data extraction before it becomes a Supreme Court case. And UK Cyber Defence provides the forensic investigation capability when insider activity is suspected.
Our <a href="/penetration-testing/infrastructure">penetration testing</a> tests insider threat scenarios. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for bulk data extraction. Because after Morrison's, insider threat controls are not optional — they are a legal risk management requirement.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call