The biggest data breach fines, penalties and settlements so far

Hacks and data thefts, enabled by weak security, cover-ups or avoidable mistakes have cost these companies a total of nearly $1.63 billion and counting.

Sizable fines assessed for data breaches in 2019 suggest that regulators are getting more serious about organizations that don’t properly protect consumer data. In the UK British Airways was hit with a record $230 million penalty, followed shortly by a $124 million fine for Marriott, while in the US Equifax agreed to pay a minimum of $575 million for its 2017 breach. 

This comes after an active 2018. Uber’s poor handling of its 2016 breach cost it close to $150 million. Weakly protected and heavily regulated health data cost medical facilities big that year, too, resulting in the US Department of Health and Human Services collecting increasingly large fines.

Equifax: (At least) $575 Million

2017 saw Equifax lose the personal and financial information of nearly 150 million people due to an unpatched Apache Struts framework in one of its databases. The company had failed to fix a critical vulnerability months after a patch had been issued and then failed to inform the public of the breach for weeks after it been discovered. 

In July 2019 the credit agency agreed to pay $575 million -- potentially rising to $700 million -- in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories over the company’s "failure to take reasonable steps to secure its network." 

$300 million of that will go to a fund providing affected consumers with credit monitoring services (another $125 million will be added if the initial payment is not enough to compensate consumers), $175 million will go to 48 states, the District of Columbia and Puerto Rico, and $100 million will go to the CFPB. The settlement also requires the company to obtain third-party assessments of its information security program every two years.

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.”

Equifax had already been fined £500,000 [~$625,000]  in the UK for the 2017 breach, which was the maximum fine allowed under the pre-GDPR Data Protection Act 1998.

British Airways: $230 million

Despite all threats and scare-mongering about the potential size of fines, the first 12 months of the EU’s General Data Protection Regulation (GDPR) had relatively little in the way of punitive action. Fines issued by data protection firms across mainland Europe that related to data breaches had been in the tens or relatively low hundreds of thousands of euros and generally were in line with the kinds of finds companies were receiving under prior regulations. With a lot of money being spent on compliance efforts and seemingly light punishment for failure, there was a growing worry that GDPR might actually be something of a damp squib.

That quickly changed after BA was fined a record £183 million [~$230 million], the highest data breach penalty to date and surpassing the $148 million Uber paid out in 2018. British Airways was fined by the UK’s data protection authority, the ICO, after the Magecart group used card skimming scripts to harvest the personal and payment data of up to 500,00 customers over a two-week period.

The ICO said its investigation found “poor security arrangements at the company” led to the breach. The BA fine shows that the regulation does have real teeth and the data protection authorities aren’t afraid to exercises their powers. Given that the GDPR has been one of the main drivers for pushing security higher up the agenda with boards, this will give CSOs and privacy/compliance offers renewed impetus to strengthen their security programs further.

Uber: $148 million

In 2016 ride-hailing app Uber had 600,000 driver and 57 million user accounts breached. Instead of reporting the incident, the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million in 2018 — the biggest data-breach fine in history at the time — for violation of state data breach notification laws.

Marriott International: $124 million

GDPR fines are like buses: You wait ages for one and then two show up at the same time. Just days after a record fine for British Airways, the ICO issued a second massive fine over a data breach.

Marriott International was fined £99 million [~$124 million] after payment information, names, addresses, phone numbers, email addresses and passport numbers of up to 500 million customers were compromised. The source of the breach was Marriott's Starwood subsidiary; attackers were thought to be on the Starwood network for up to four years and some three after it was bought by Marriott in 2015. 

According to the ICO’s statement, Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” Marriott CEO Arne Sorenson said the company was “disappointed” with the fine and plans to contest the penalty.  

The hotel chain was also fined 1.5 million Lira (~$265,000) by the Turkish data protection authority — not under the GDPR legislation — for the beach, highlighting how one breach can result in multiple fines globally.

Yahoo: $85 million

In 2013 Yahoo suffered a massive security breach that affected its entire database, about 3 billion accounts — almost the entire population of the web. The company, however, didn’t disclose this information for three years.

In April 2018, the U.S. Securities and Exchange Commission (SEC) fined the company $35 million for failing to disclose the breach. In September, Yahoo’s new owner Altaba admitted that it had settled a class action lawsuit resulting from the breach to the tune of $50 million.

A total bill of $85 million for 3 billion accounts works out to around $36 per record. 

Capital One: $80 million

In 2019 Captial One bank suffered a breach affecting 100 million people in the US and 6 million in Canada. The company said an "outside individual" – later identified as former Amazon Web Services software engineer Paige Thompson – had obtained personal information of Capital One credit card customers and people who had applied for credit card products via a configuration vulnerability in the company’s web application firewall.

Information taken included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, self-reported income as well as credit scores, credit limits, balances, payment history, contact information, fragments of transaction data, some Social Security numbers and some bank account numbers.

The Office of the Comptroller of the Currency fined Capital One $80 million for “failure to establish effective risk assessment processes” when migrating operations to public cloud environment as well as a “failure to correct the deficiencies in a timely manner.”

Tesco Bank: $21 million

Tesco Bank, the retail banking arm of the UK supermarket chain, was hit with a £16.4 million ($21.2 million) fine in 2018 by the UK’s Financial Conduct Authority (FCA) after just under $3 million was stolen from 9,000 customer accounts in 2016. The FCA accused Tesco’s of “deficiencies” in the design of its debit card, financial crime controls and in its Financial Crime Operations Team.

Target: $18.5 million

In 2017, retail giant Target agreed to a $18.5 million settlement with 47 states and the District of Columbia relating to a breach in 2013 in which some 40 million credit and debit card accounts were stolen during the post-thanksgiving Black Friday sales rush. Later investigations found names, addresses, phone numbers and email addresses for up to 70 million individuals were also taken. Total costs associated with the breach reach over $200 million.

Anthem: $16 million

U.S. health insurer Anthem suffered a breach in 2015 that impacted 79 million people. The breach included names, birthdates, Social Security numbers and medical IDs. In October 2018 the company was fined $16 million by the US Department of Health and Human Services for Health Insurance Portability and Accountability Act (HIPAA) violations. That fine was in addition to the $115 million the company had to pay out in 2017 to settle a class-action lawsuit relating to the breach.

1&1 Telecom: $10.6 million

It's not just the UK's ICO which is handing out large GDPR fines. German web hosting company 1&1 was fined €9.55 million ($10.6 million) by Germany's Federal Commissioner for Data Protection and Freedom of Information (BfDI) for not taking "sufficient technical and organizational measures" to prevent unauthorized persons using its customer service department to gain access to customer data. Its poor authentication processes meant that callers could obtain information on other customers by simply providing the name and birthdate of the person they wanted information on. 

Other large GDPR fines for non-breach related reasons include an €18 million fine against the Austrian postal service for processing the political affiliation of data subjects and €14.5 million against German property company Deutsche Wohnen for retaining customer data after it was no longer needed.

Google: $7.5 million

More normally associated with fines around monopolies and anti-trust, 2020 saw Google agree to pay $7.5 million to resolve a class-action lawsuit over two Google+ incidents. The search giant originally announced it planned to shut down its Google+ social network in October 2018 after revealing a bug in a Google+ API that allowed developers access to data marked as private. Though Google claimed there was no evidence this bug was exploited, it acknowledged that over 400 applications used this API and potentially affected over 500,000 accounts.

Two months later Google announced a second incident involving Google+ and was shutting down four months earlier than originally stated after another API issue gave developers access to private profile information on 52.5 million users. (Again, the company said it didn’t think there had been any exploitation of this bug.)

Two class actions suits were filed in 2018 but later consolidated into one, and January 2020 saw a settlement agreed that would allow all users with Google+ accounts between January 2015 and April 2, 2019, whose non-public information was exposed to receive between $5 and $12 each.

The University of Texas MD Anderson Cancer Center: $4.3 million

In June 2018 a judge upheld the decision to fine the University of Texas MD Anderson Cancer Center $4.3 million for HIPAA violations. The cancer center suffered three data breaches between 2012 and 2013, which resulted in the loss of health information ofover 33,500 individuals. In one case an unencrypted laptop was stolen from an employee’s residence. The other two breaches involved the loss of unencrypted USBs.

Fresenius Medical Care North America: $3.5 million

HIPAA failures strike again. In February 2018 Fresenius Medical Care North America (FMCNA) was slapped with a bill for $3.5 million after suffering five separate breaches at different company locations between February and July of 2012. An investigation by the Office for Civil Rights found FMCNA had failed to “conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the health information it was storing across its different entities.”

These failures include not preventing unauthorized access to facilities and equipment, failing to encrypt health data, not governing the removal of electronic media holding health data, and having a lack of security incident procedures.

Cottage Health, Touchstone Medical Imaging, and University of Rochester Medical Center (URMC): $3 million each

2019 saw three large HIPAA violations; $3 million each for Cottage Health & Touchstone Medical Imaging.

Cottage health was fined for two breaches — one in 2013 and another in 2015 — resulting in electronic protected health information (ePHI) affecting over 62,500 individuals being leaked. Both incidents involved servers holding ePHI being accessible over the internet.

Tennessee-based Touchstone Medical Imaging was fined after leaving the protected health information (PHI) of over 300,000 patients available online through an exposed FTP server. Touchstone was notified about this exposure by the FBI in 2014 but claimed no patient PHI was exposed.

The US Department of Health and Human Services (HHS) found that Touchstone “did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR.” In addition, the HHS said that notification to individuals affected by the breach was “untimely,” that Touchstone “failed to conduct an accurate and thorough risk analysis of potential risks,” and the company “failed to have business associate agreements in place with its vendors.”

1 2 Page 1
Page 1 of 2
The 10 most powerful cybersecurity companies