Morrisons has lost its challenge to a High Court ruling that it is liable for a data breach that saw thousands of its employees' details posted online.
The Court of Appeal upheld the original decision against the supermarket, issued in December 2017.
Workers brought a claim against the company after employee Andrew Skelton stole the data, including salary and bank details, of nearly 100,000 staff.
Morrisons said it would now appeal to the Supreme Court.
If that appeal fails, those affected will be able to claim compensation for "upset and distress".
The case is the first data leak class action in the UK.
It follows a security breach in 2014 when Skelton, then a senior internal auditor at the retailer's Bradford headquarters, leaked the payroll data of employees.
He posted the information - including names, addresses, bank account details and salaries - online and and sent it to newspapers.
He was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.
Morrisons had argued that it could not be held liable for the criminal misuse of its data.
But three Court of Appeal judges rejected the company's appeal, saying they agreed with the High Court's earlier decision.
They said Morrisons was "vicariously liable for the torts committed by Mr Skelton against the claimants".
Nick McAleenan of JMW Solicitors, who was representing the claimants, said they were "delighted" with the outcome.
"These shop and factory workers have held one of the UK's biggest organisations to account and won - and convincingly so," he added.
"This latest judgement provides reassurance to the many millions of people in this country whose own data is held by their employer."
Morrisons said in a statement after the hearing: "A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he's been found guilty for his crimes.
"Morrisons has not been blamed by the courts for the way it protected colleagues' data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.
"Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.
"We believe we should not be held responsible, so that's why we will now appeal to the Supreme Court."