This came as a bit of a surprise to me, but am assuming that Morrison’s couldn’t demonstrate that they’d put sufficient controls around unauthorised access to/use of the data.
It is also interesting to see how this sets a precedence for GDPR enforcement when it is tested. Hopefully it will get companies to think more about the effectiveness of controls, rather than taking a tick-box approach to security.
Workers brought a claim against the company after employee Andrew Skelton stole the data, including salary and bank details, of nearly 100,000 staff. The High Court ruling now allows those affected to claim compensation for the "upset and distress" caused. The case is the first data leak class action in the UK.