Eight years for Morrisons auditor with grudge who leaked colleagues’ data

A MORRISONS employee who posted sensitive personal data relating to almost 100,000 of the supermarket’s staff on the internet and sent it to newspapers due to a “grudge” was today beginning an eight-year jail sentence.

Andrew Skelton outside Bradford Crown Court. Picture: Ross Parry Agency
Andrew Skelton outside Bradford Crown Court. Picture: Ross Parry Agency

Andrew Skelton, 43, was found guilty of fraud, securing unauthorised access to computer material and disclosing personal data, after a four-day trial at Bradford Crown Court.

Skelton leaked the information in response to a warning he was given after the company found out he used the mail room at Morrisons headquarters in Bradford to send out eBay packages, the court heard.

The data breach cost the company more than £2 million to rectify.

Data containing information including salaries, National Insurance numbers, dates of birth and bank account details were sent to The Guardian, Trinity Mirror Newspapers and the Bradford Telegraph & Argus last year. It was also uploaded to data sharing websites.

Skelton, of Water Street, Liverpool, was a senior internal auditor at Morrisons at the time. In 2013 he was the subject of disciplinary action after a package was found in the mail room in Bradford.

Skelton admitted he had been using the mail room to conduct eBay deals and he was given a warning.

The police investigation into the data breach led to detectives discovering a draft resignation letter that Skelton has written around the time of the disciplinary matter.

The jury heard the letter spoke of the “anger and frustration that had not diminished with the passage of time” and how Skelton had “scant regard” for the firm.

After the conviction today, David Holderness of the Crown Prosecution Service said: “Andrew Skelton was in a position of considerable trust with access to confidential personal information as Senior Internal Auditor at Morrisons.

“He abused this position by uploading this information – which included employee’s names, addresses and bank account details onto various internet websites.

“He then attempted to cover his tracks and implicate a fellow employee by using this colleague’s details to set up a fake email account.

“Andrew Skelton’s motive appears to have been a personal grievance over a previous incident where he was accused of dealing in legal highs at work.

“The potential loss to his victims and the sheer quantity of potentially compromised data was very significant and could have resulted in employees identities being stolen. Currently Morrison’s has incurred costs of almost £2 million as a result of this fraud, costs have included professional fees, legal fees and fees incurred through attempts to safeguard their employees.

“The sentence imposed today sends out a very clear message that we will robustly prosecute serious fraudsters such as Skelton who believe they are above the law.”

A Morrisons’ spokesman said: “Andrew Skelton abused a position of trust to steal data about our colleagues and then place it on the internet.

“We are grateful for the efforts of the West Yorkshire Police in bringing Mr Skelton to justice.

“The guilty verdict and the eight-year prison sentence he received helps to bring closure for us and our employees following this incident.

“All our colleagues were offered identity theft protection as a result of this crime at a significant cost to the company.”

Detective Chief Inspector Gary Hooks, of West Yorkshire Police, said: “I hope that today’s sentence brings some closure to the many victims in this case, and that it sends out a message that cyber crime will not be tolerated in West Yorkshire.

“This has been a lengthy and complex investigation involving specialist staff, who have worked closely with Morrisons throughout.

“It is also a great example of how effective partnerships between industry and the police can help to bring offenders to justice.”