Sizable fines assessed for data breaches since 2019 suggest that regulators are getting more serious about organizations that don’t properly protect consumer data. Marriott was hit with a $124 million fine, later reduced, while Equifax agreed to pay a minimum of $575 million for its 2017 breach.
Now, the Equifax fine has been eclipsed by the $1.19 billion fine levied against the Chinese firm Didi Global for violating that nation’s data protection laws, and by the $877 million fine against Amazon last year for running afoul of the General Data Protection Regulation (GDPR) in Europe.
Here are the biggest fines and penalties assessed for data breaches or non-compliance with security and privacy laws.
1. Didi Global: $1.19 billion
Chinese ride-hailing firm Didi Global was fined 8.026 billion yuan ($1.19 billion) by the Cyberspace Administration of China after it decided that the company violated the nations’ network security law, data security law, and personal information protection law. In a statement, Didi Global said it accepted the cybersecurity regulators’ decision, which came after a year-long investigation into the firm over its security practices and “suspected illegal activities.”
2. Amazon: $877 million
In summer 2021, retail giant Amazon’s financial records revealed that officials in Luxembourg issued a €746 million ($877 million) for breaches of the GDPR. According to a blog post by cybersecurity vendor Tessian, the full reasons behind the fine haven’t yet been confirmed, but it is believed to involve cookie consent. Amazon is said to be appealing the fine, with a spokesperson stating, “There has been no data breach, and no customer data has been exposed to any third party.”
3. Equifax: (At least) $575 Million
2017 saw Equifax lose the personal and financial information of nearly 150 million people due to an unpatched Apache Struts framework in one of its databases. The company had failed to fix a critical vulnerability months after a patch had been issued and then failed to inform the public of the breach for weeks after it been discovered.
In July 2019 the credit agency agreed to pay $575 million — potentially rising to $700 million — in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories over the company’s “failure to take reasonable steps to secure its network.”
$300 million of that will go to a fund providing affected consumers with credit monitoring services (another $125 million will be added if the initial payment is not enough to compensate consumers), $175 million will go to 48 states, the District of Columbia and Puerto Rico, and $100 million will go to the CFPB. The settlement also requires the company to obtain third-party assessments of its information security program every two years.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.”
Equifax had already been fined £500,000 [~$625,000] in the UK for the 2017 breach, which was the maximum fine allowed under the pre-GDPR Data Protection Act 1998.
In 2020, Equifax was made to pay further settlements relating to the breach: $7.75 million (plus $2 million in legal fees) to financial institutions in the US plus $18.2 million and $19.5 million to the states of Massachusetts and Indiana respectively.
4. Instagram: $403 million
In September 2022, Ireland’s Data Protection Commissioner (DPC) fined Instagram for violating children’s privacy under the terms of the GDPR. The long-running complaint concerned data belonging to minors, particularly phone numbers and email addresses, which was made more public when some young users upgraded their profiles to business accounts to access analytics tools such as profile visits.
Instagram’s owner, Meta, said it planned to appeal against the decision. “This inquiry focused on old settings that we updated over a year ago and we’ve since released many new features to help keep teens safe and their information private,” a Meta official told BBC News. “While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it.”
Andy Burrows, child-safety-online policy head at the National Society for the Prevention of Cruelty to Children (NSPCC) said, “This was a major breach that had significant safeguarding implications and the potential to cause real harm to children using Instagram. The ruling demonstrates how effective enforcement can protect children on social media and underlines how regulation is already making children safer online.”
5. T-Mobile: $350 million
In July 2022, mobile communications giant T-Mobile announced the terms of a settlement for a consolidated class action lawsuit following a data breach that occurred in early 2021, impacting an estimated 77 million people. The incident centered around “unauthorized access” to T-Mobile’s systems after a portion of customer data was listed for sale on a known cybercriminal forum. In an SEC filing, it was revealed that T-Mobile would pay an aggregate of $350 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel, and the costs of administering the settlement. The company would also commit to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023.
“The company anticipates that, upon court approval, the settlement will provide a full release of all claims arising out of the cyberattack by class members, who do not opt out, against all defendants, including the company, its subsidiaries and affiliates, and its directors and officers,” the filing read. “The settlement contains no admission of liability, wrongdoing or responsibility by any of the defendants. Class members consist of all individuals whose personal information was compromised in the breach, subject to certain exceptions set forth in the agreement. The company believes that terms of the proposed settlement are in line with other settlements of similar types of claims,” it added.
6. Meta (Facebook): $277 million
In November 2022, the Ireland Data Protection Commission (DPC) fined Meta $277 million (€265 million) for the compromise of 500 million users’ personal information. The DPC started its inquiry on April 14, 2021, following reports of a collated data set of Facebook personal data that had been made available on the internet. The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited (“MPIL”) during the period between May 25, 2018, and September 2019. “The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default,” the DPC wrote. “The DPC examined the implementation of technical and organisational measures pursuant to Article 25 GDPR (which deals with this concept). There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC.”
The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.
7. WhatsApp: $255 million
Facebook-owned messaging service WhatsApp was fined €225 million ($255 million) in August 2021 for a series of GDPR cross-border data protection infringements in Ireland. The fine followed a lengthy investigation and enforcement process which began in 2018 and involved the Data Protection Commission’s proposed decision and sanctions being rejected by its counterpart European data protection regulators, resulting in a referral to and ruling from the European Data Protection Board. Allegations focused on complaints from users and non-users of WhatsApp’s services, involving alleged breaches of transparency and data subject information obligations under articles 12, 13 and 14 of the GDPR.
8. Home Depot: ~$200 million
In 2014 Home Depot was involved in one of the largest data breaches to date involving a point-of-sale (POS) system, leading to a number of fines and settlements being paid. Stolen credentials from a third party enabled attackers to enter Home Depot’s network, elevate privileges, and eventually compromise the POS system. More than 50 million credit card numbers and 53 million email addresses were stolen over a five-month period between April and September 2014.
Home Depot has reportedly paid out at least $134.5 million to credit card companies and banks as a result of the breach. In addition, in 2016 Home Depot agreed to pay $19.5 million to customers that had been affected by the breach, which included the cost of credit monitoring services to breach victims. In 2017 the firm agreed to pay an additional $25 million to the financial institutions affected by the breach that could be claimed by victims and cover banks’ losses.
Breaches can have a longtail of costs, especially when it comes to fines and settlements. In November 2020, the retailer paid a further $17.5 million settlement to 46 US states and Washington DC for the breach. The agreement also compels Home Depot to employ a highly qualified CISO, provide security training for key personnel, and ensure security controls and policies in areas like identity and access, monitoring, and incident response.
9. Capital One: $190 million
In December 2021, Capital One agreed to pay $190 million to settle a class-action lawsuit filed against it by U.S. customers over a 2019 data breach that affected 100 million people. This settlement comes more than a year after the U.S. Office of the Comptroller of the Currency fined Capital One $80 million for the same breach (see below).
A software engineer at AWS was behind the attack, which exposed information including bank account details. “While Capital One and AWS deny all liability, in the interest of avoiding the time, expense and uncertainty of continued litigation, plaintiffs and Capital One have executed a term sheet containing the essential terms of a class settlement that, if approved by this court, will fully resolve all claims brought by plaintiffs,” a filing with the U.S. District Court for the Eastern District of Virginia read. In an emailed statement, Capital One said that key facts in the case had not changed since it announced the event in coordination with federal authorities more than two years ago, with the hacker arrested and the stolen data recovered before it could be disseminated or used for fraudulent purposes. “We are pleased to have reached an agreement that will resolve the consumer class litigation in the U.S.,” the company added.
10. Uber: $148 million
In 2016 ride-hailing app Uber had 600,000 driver and 57 million user accounts breached. Instead of reporting the incident, the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million in 2018 — the biggest data-breach fine in history at the time — for violation of state data breach notification laws.
11. Morgan Stanley: $120 million (total)
In January 2022, investment bank and financial services giant Morgan Stanley agreed to pay $60 million to settle a legal claim relating to its data security. The agreement, if approved by a federal judge in Manhattan, will resolve a class-action lawsuit was that filed against the company in July 2020 regarding two security breaches that compromised the personal data of approximately 15 million customers. According to claimants, Morgan Stanley failed to protect the personally identifiable information (PII) of current and former clients. It is alleged data center equipment decommissioned by the firm in 2016 and 2019 was not efficiently wiped clean and a software flaw meant that unencrypted, sensitive data was visible to whoever purchased the equipment.
The proposed claim settlement comes more than a year after Morgan Stanley was handed a separate $60 million civil penalty by the Office of the Comptroller of the Currency (OCC) in relation to the same incidents. The OCC stated that Morgan Stanley failed “to exercise proper oversight of the 2016 decommissioning of two Wealth Management business data centers located in the U.S. Among other things, the banks failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.” In 2019, the banks experienced similar vendor management control deficiencies in connection with decommissioning other network devices that also stored customer data, the OCC added.
In a statement on the recent settlement agreement, Morgan Stanley said: “We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation.”
12. Google Ireland: 102 million
Google Ireland was hit by a €90 million ($102 million) fine by French data protection authority the CNIL on January 6, 2022. The fine related to how Google’s European arm implements cookie consent procedures on YouTube. “The CNIL has received many complaints about the way cookies can be refused on the websites google.fr and youtube.com,” it wrote. “In June 2021, the CNIL carried out an online investigation on these websites and found that, while they offer a button allowing immediate acceptance of cookies, the sites do not implement an equivalent solution (button or other) enabling the user to refuse the deposit of cookies equally easily. Several clicks are required to refuse all cookies, against a single one to accept them.” The restricted committee considered that this process affected the freedom of consent of internet users and constituted an infringement of Article 82 of the French Data Protection Act.
Editor’s note: This article, originally published in July 2019, is frequently updated as new information on incident penalties becomes available.
Copyright © 2022 IDG Communications, Inc.