Morrisons has been found liable for the actions of a former member of its staff who stole the data of thousands of employees and posted it online.
Workers brought a claim against the company after employee Andrew Skelton stole the data, including salary and bank details, of nearly 100,000 staff.
The High Court ruling now allows those affected to claim compensation for the “upset and distress” caused.
The case is the first data leak class action in the UK.
Morrisons said it believed it should not have been held responsible and would be appealing against the decision.
The case follows a security breach in 2014 when Skelton, then a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of employees.
He posted the information – including names, addresses, bank account details and salaries – online and and sent it to newspapers.
Skelton’s motive appeared to have been a grudge over an incident when he was accused of dealing so-called legal highs at work.
He was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.
Lawyers said the data theft meant 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss and that the company was responsible for breaches of privacy, confidence and data protection laws.
At the High Court hearing sitting in Leeds, the judge, Mr Justice Langstaff, ruled that Morrisons was vicariously liable, adding that primary liability had not been established.
Anya Proops, QC for Morrisons, said Skelton had already caused serious damage to the company and it had incurred more than £2m in costs in responding to the misuse.
She argued the extent to which an employer could be held liable for the criminal misuse of third-party data by an employee was of “huge importance” for individuals, businesses and organisations.
Following the ruling, Nick McAleenan of JMW Solicitors, acting for the claimants, said the leak had caused them “significant worry, stress and inconvenience”.
He said: “This private information belonged to my clients. They are Morrisons checkout staff, shelf stackers, factory workers – ordinary people doing their jobs.
“We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK.”
Any further hearing about amounts of compensation will not take place until the company’s appeal has concluded.