UK supermarket chain Morrisons has filed a formal defence to the claim that it is liable for the widespread data breach in March 2014 that resulted in nearly 100,000 staff names, addresses and bank account details being stolen and posted online. In what is the biggest-ever corporate claim in relation to a data breach, over 5,000 employees are suing for damages after an application for a Group Litigation Order was approved by the High Court in London last November.
Now, lawyers acting on behalf of the claimants say they will "vigorously contest" the retailer's latest position, according to the Peterborough Telegraph. Nick McAleenan, data privacy lawyer at JMW Solicitors, who is representing the group, said that Morrisons has also denied the staff were emotionally impacted by the massive data leak.
"During the trial of the individual who leaked the material, Morrisons acknowledged the huge potential implications for staff as a result of what had happened, including identity theft and financial loss. This information was leaked by someone employed at the time by Morrisons. We believe that the retailer could and should have done more to prevent our clients' details being circulated in this way," he said.
McAleenan added that any staff members who want to join the legal claim should do so as soon as possible as the High Court issued a cut-off point for new claims as 8 April 2016. The hearing to determine the trial date is currently penned in for mid-May.
It was previously uncovered that a former employee named Andrew Skelton was responsible for leaking the staff members' data online. Skelton, who was jailed for eight years after being found guilty of carrying out the theft, reportedly held a grudge against the supermarket chain after he was given an official warning for using the firm's mail room for personal use.
As a result, in a breach that was said to have cost the retailer over £2 million to resolve, Skelton stole tens of thousands of sensitive staff records and posted the information to a slew of websites.
In a post acknowledging the incident at the time, Morrisons wrote on its Facebook page: "We are extremely sorry to inform you that there has been a theft of colleagues' personal information, which was uploaded onto a website. As soon as we became aware of this last night, we took immediate steps to ensure the data was removed from the website. It was closed down within hours of us being notified. The information included names, addresses and bank account details of colleagues. This affects colleagues from all levels of the organisation."