In early 2014, Andrew Skelton — a senior IT auditor at Morrisons, one of the UK’s largest supermarket chains — deliberately leaked the personal data of 99,998 Morrisons employees as an act of sabotage. Skelton had legitimate access to the payroll data as part of his role. He copied the data to a personal USB drive, then posted it to a file sharing website and sent copies to three newspapers. The data included names, addresses, genders, dates of birth, phone numbers, national insurance numbers, bank account details, and salary information. Skelton was arrested, convicted, and sentenced to 8 years in prison. The case then became a landmark legal battle on vicarious liability: affected employees brought a class action against Morrisons itself (not Skelton), arguing Morrisons was vicariously liable for its employee’s wrongdoing. The UK High Court initially found Morrisons vicariously liable; the Court of Appeal upheld this. However, the UK Supreme Court in April 2020 overturned both lower court decisions, finding Morrisons was NOT vicariously liable because Skelton’s actions were not a direct exercise of his employment functions and were done for personal reasons. The Supreme Court ruling was a landmark for UK data protection law, establishing important limits on employer vicarious liability for deliberate employee data leaks.