Morrisons has lost its challenge to a High Court ruling that it is liable for a data breach that saw thousands of its employees’ details posted online.
The Court of Appeal upheld the original decision against the supermarket, issued in December 2017.
Workers brought a claim against the company after employee Andrew Skelton stole the data, including salary and bank details, of nearly 100,000 staff.
Those affected can now claim compensation for “upset and distress”.
The case is the first data leak class action in the UK.
It follows a security breach in 2014 when Skelton, then a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of employees.
He posted the information – including names, addresses, bank account details and salaries – online and and sent it to newspapers.
He was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.
Morrisons had argued that it could not be held liable for the criminal misuse of its data.
But three Court of Appeal judges rejected the company’s appeal, saying they agreed with the High Court’s earlier decision.
They said Morrisons was “vicariously liable for the torts committed by Mr Skelton against the claimants”.