The High Court has allowed a compensation claim by thousands of Morrisons staff whose personal details were posted on the internet.
The case has potential implications for every individual and business in the country.
It follows a security breach in 2014 when Andrew Skelton, a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of nearly 100,000 employees - including their names, addresses, bank account details and salaries - putting it online and sending it to newspapers
A group of 5,518 former and current Morrisons employees said this exposed them to the risk of identity theft and potential financial loss and that Morrisons was responsible for breaches of privacy, confidence and data protection laws.
They are seeking compensation for the upset and distress caused.
Morrisons said it could not be held directly or vicariously liable for Skelton’s criminal misuse of the data and any other conclusion would be grossly unjust.
Following Mr Justice Langstaff’s decision on liability on Friday, Nick McAleenan, of JMW Solicitors, said: “The High Court has ruled that Morrisons was legally responsible for the data leak.
“We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK.”