The lessons to learn from Morrisons payroll data leak

December 5, 2018 | Aoife Flynn 5 Mins read

Employers across the UK may need to tighten up their payroll processes following a Court of Appeal decision that supermarket Morrisons was liable for a serious data breach by a disgruntled employee.

Four years ago, Andrew Skelton, a senior internal auditor at the company’s headquarters, copied payroll data relating to around 100,000 employees onto a USB stick and later posted it online. He was said to be holding a grudge against the company following accusations of drug dealing at work.

The data included names, addresses, bank account details, national insurance numbers and salaries.

But while Skelton has already been given eight years in prison, the appeal court has now ruled that Morrisons is liable too – even though it couldn’t be deemed to be the data controller at the moment Skelton was uploading the data. Instead, the issue was vicarious liability, with Morrisons responsible for the actions of its employee.

“Suppose he had misused the data so as to steal a large sum of money from one employee’s bank account. If Morrisons’ arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally,” the judgement read.

It’s a decision that should send shivers down the spine of employers. Payroll data is about as personal as it gets, and potentially very valuable to criminals. And while this case related to events before the introduction of the EU General Data Protection Regulation (GDPR), that legislation could make the penalties for a breach even greater – up to €20 million, or 4% of annual global turnover, whichever is higher.

In this instance, Skelton did officially have access to the data he leaked. However, the case highlights just how important it is to keep the tightest-possible restrictions on the number of people with access to payroll information.

A good starting point is to have a clear policy on user authentication and authorisation, with carefully-specified access rights and privileges. It’s important, of course, to revoke these privileges as soon as an employee leaves.

There need to be tight controls on bring-your-own-device policies, external emails and – as the Morrisons case highlights – on the use of USB sticks. And it also helps enormously if data can be centralised on a single secure platform, rather than duplicated between HR and payroll departments or shared with third party payroll providers.

Interestingly, the appeal court judges acknowledged the difficulty faced by employers over vicarious liability. Unfortunately, though, their solution was to suggest that organisations should take out insurance against events like the Morrisons breach – a rather fatalistic attitude.

However, there’s still a chance that the judgement could be overturned, with Morrisons saying it plans to take the case to the Supreme Court.


Join us on our next webinar, where we will discuss the In System Authorisation and Rights and Roles Management features built into our Global Payroll Software.



Author: Emma Woollacott

Emma Woollacott is a freelance journalist specialising in business and technology. She writes regularly for the BBC, Forbes, Raconteur and other publications


Register Now

Subscribe to our Blog

logmein logo

Using Payslip, we can manage all our payrolls across nine in-country vendors on one platform. When the global Covid-19 pandemic arose, it was not an issue from a payroll perspective, and critically getting everyone paid. The Payslip platform enabled continuity for our international payroll service including the fast and seamless implementation of the Payslip Employment Self Service during this time.

Colin Smith

Payroll Manager, LogMeIn

Payslip as a technology platform has added a missing piece in our payroll set-up. As an international company with offices in 16 countries, it’s important to us that every employee at GetYourGuide has the same great experience when accessing their pay data.

At the same time, we work well with smaller local payroll providers, supporting us with direct local expertise in their countries. We were able to combine those two elements by placing the Payslip platform in the middle, to simplify reporting and communication with local providers, and to have one simple employee-facing solution across all locations.

Julian Fichter

Head of HR, GetYourGuide

With business and employee growth rates of above 50%, we rely on our vendors to deliver on time, every time. Payslip’s workflow automation, enables Phorest to manage our payroll provider process – data driven, real time and transparent. Payslip saves us time so we can focus on our business growth.

Ana Kelly

International Payroll Manager, Phorest

Payslip positions your team for success, and allows you to onboard hundreds of people when you need them very quickly and efficiently, in the same way for each country. The uniformed approach empowered our payroll teams to keep pace with our business.

Payslip also made our payroll process entirely transparent, which is invaluable to our payroll teams as we continue to grow and scale at such a rapid pace.

Travis Saville

HR Systems Lead, Wave