Sizable fines assessed for data breaches since 2019 suggest that regulators are getting more serious about organizations that don\u2019t properly protect consumer data. Marriott was hit with a $124 million fine, later reduced, while Equifax agreed to pay a minimum of $575 million for its 2017 breach. \n\nNow, the Equifax fine has been eclipsed by the $1.19 billion fine levied against the Chinese firm Didi Global for violating that nation's data protection laws, and by the $877 million fine against Amazon last year for running afoul of the General Data Protection Regulation (GDPR) in Europe.\n\nHere are the biggest fines and penalties assessed for data breaches or non-compliance with security and privacy laws.\n\n1. Didi Global: $1.19 billion\n\nChinese ride-hailing firm Didi Global was fined 8.026 billion yuan ($1.19 billion) by the Cyberspace Administration of China after it decided that the company violated the nations\u2019 network security law, data security law, and personal information protection law. In a statement, Didi Global said it accepted the cybersecurity regulators' decision, which came after a year-long investigation into the firm over its security practices and \u201csuspected illegal activities.\u201d\n\n2. Amazon: $877 million\n\nIn summer 2021, retail giant Amazon\u2019s financial records revealed that officials in Luxembourg issued a \u20ac746 million ($877 million) for breaches of the GDPR. According to a blog post by cybersecurity vendor Tessian, the full reasons behind the fine haven\u2019t yet been confirmed, but it is believed to involve cookie consent. Amazon is said to be appealing the fine, with a spokesperson stating, \u201cThere has been no data breach, and no customer data has been exposed to any third party.\u201d\n\n3. Equifax: (At least) $575 Million\n\n2017 saw Equifax lose the personal and financial information of nearly 150 million people due to an unpatched Apache Struts framework in one of its databases. The company had failed to fix a critical vulnerability months after a patch had been issued and then failed to inform the public of the breach for weeks after it been discovered. \n\nIn July 2019 the credit agency agreed to pay $575 million -- potentially rising to $700 million -- in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories over the company\u2019s "failure to take reasonable steps to secure its network." \n\n$300 million of that will go to a fund providing affected consumers with credit monitoring services (another $125 million will be added if the initial payment is not enough to compensate consumers), $175 million will go to 48 states, the District of Columbia and Puerto Rico, and $100 million will go to the CFPB. The settlement also requires the company to obtain third-party assessments of its information security program every two years.\n\n\u201cCompanies that profit from personal information have an extra responsibility to protect and secure that data,\u201d said FTC Chairman Joe Simons. \u201cEquifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.\u201d\n\nEquifax had already been fined \u00a3500,000 [~$625,000] in the UK for the 2017 breach, which was the maximum fine allowed under the pre-GDPR Data Protection Act 1998.\n\nIn 2020, Equifax was made to pay further settlements relating to the breach: $7.75 million (plus $2 million in legal fees) to financial institutions in the US plus $18.2 million and $19.5 million to the states of Massachusetts and Indiana respectively. \n\n4. Instagram: $403 million\n\nIn September 2022, Ireland\u2019s Data Protection Commissioner (DPC) fined Instagram for violating children\u2019s privacy under the terms of the GDPR. The long-running complaint concerned data belonging to minors, particularly phone numbers and email addresses, which was made more public when some young users upgraded their profiles to business accounts to access analytics tools such as profile visits.\n\nInstagram\u2019s owner, Meta, said it planned to appeal against the decision. \u201cThis inquiry focused on old settings that we updated over a year ago and we\u2019ve since released many new features to help keep teens safe and their information private,\u201d a Meta official told BBC News. \u201cWhile we\u2019ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it.\u201d\n\nAndy Burrows, child-safety-online policy head at the National Society for the Prevention of Cruelty to Children (NSPCC) said, \u201cThis was a major breach that had significant safeguarding implications and the potential to cause real harm to children using Instagram. The ruling demonstrates how effective enforcement can protect children on social media and underlines how regulation is already making children safer online.\u201d\n\n5. TikTok: \u20ac345 million ($370 million)\n\nIn September 2023, TikTok was handed a \u20ac345 million ($370 million) fine by the Irish Data Protection Commission (DPC) for violating children\u2019s data privacy, under GDPR law. The DPC found that TikTok had not been transparent enough with children about its privacy settings, and raised questions about how their data was processed.\n\nThe inquiry sought to examine the extent to which, during the period between July 31 2020 and December 31 2020, TikTok complied with its obligations under the GDPR in relation to its processing of personal data relating to child users of the TikTok platform in the context of:\n\n\u201cAs part of the inquiry, the DPC also examined certain of TTL\u2019s transparency obligations, including the extent of information provided to child users in relation to default settings,\u201d the IDC said. The DPC\u2019s decision, which was adopted on September 1 2023, recorded findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), 13(1)(e) and 5(1)(a) GDPR \u2013 these relate to a range of matters including data security, data protection by design, and data processing.\n\nA spokesperson for the social media firm said it \u201crespectfully disagree[s] with the decision, particularly the level of the fine imposed,\u201d according to the BBC.\n\n6. T-Mobile: $350 million\n\nIn July 2022, mobile communications giant T-Mobile announced the terms of a settlement for a consolidated class action lawsuit following a data breach that occurred in early 2021, impacting an estimated 77 million people. The incident centered around \u201cunauthorized access\u201d to T-Mobile\u2019s systems after a portion of customer data was listed for sale on a known cybercriminal forum. In an SEC filing, it was revealed that T-Mobile would pay an aggregate of $350 million to fund claims submitted by class members, the legal fees of plaintiffs\u2019 counsel, and the costs of administering the settlement. The company would also commit to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023.\n\n\u201cThe company anticipates that, upon court approval, the settlement will provide a full release of all claims arising out of the cyberattack by class members, who do not opt out, against all defendants, including the company, its subsidiaries and affiliates, and its directors and officers,\u201d the filing read. \u201cThe settlement contains no admission of liability, wrongdoing or responsibility by any of the defendants. Class members consist of all individuals whose personal information was compromised in the breach, subject to certain exceptions set forth in the agreement. The company believes that terms of the proposed settlement are in line with other settlements of similar types of claims,\u201d it added.\n\n7. Meta (Facebook): $277 million\n\nIn November 2022, the Ireland Data Protection Commission (DPC) fined Meta $277 million (\u20ac265 million) for the compromise of 500 million users\u2019 personal information. The DPC started its inquiry on April 14, 2021, following reports of a collated data set of Facebook personal data that had been made available on the internet. The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited ("MPIL") during the period between May 25, 2018, and September 2019. \u201cThe material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default,\u201d the DPC wrote. \u201cThe DPC examined the implementation of technical and organisational measures pursuant to Article 25 GDPR (which deals with this concept). There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC.\u201d\n\nThe decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.\n\n8. WhatsApp: $255 million\n\nFacebook-owned messaging service WhatsApp was fined \u20ac225 million ($255 million) in August 2021 for a series of GDPR cross-border data protection infringements in Ireland. The fine followed a lengthy investigation and enforcement process which began in 2018 and involved the Data Protection Commission\u2019s proposed decision and sanctions being rejected by its counterpart European data protection regulators, resulting in a referral to and ruling from the European Data Protection Board. Allegations focused on complaints from users and non-users of WhatsApp\u2019s services, involving alleged breaches of transparency and data subject information obligations under articles 12, 13 and 14 of the GDPR.\n\n9. Home Depot: ~$200 million\n\nIn 2014 Home Depot was involved in one of the largest data breaches to date involving a point-of-sale (POS) system, leading to a number of fines and settlements being paid. Stolen credentials from a third party enabled attackers to enter Home Depot\u2019s network, elevate privileges, and eventually compromise the POS system. More than 50 million credit card numbers and 53 million email addresses were stolen over a five-month period between April and September 2014.\n\nHome Depot has reportedly paid out at least $134.5 million to credit card companies and banks as a result of the breach. In addition, in 2016 Home Depot agreed to pay $19.5 million to customers that had been affected by the breach, which included the cost of credit monitoring services to breach victims. In 2017 the firm agreed to pay an additional $25 million to the financial institutions affected by the breach that could be claimed by victims and cover banks\u2019 losses.\n\nBreaches can have a longtail of costs, especially when it comes to fines and settlements. In November 2020, the retailer paid a further $17.5 million settlement to 46 US states and Washington DC for the breach. The agreement also compels Home Depot to employ a highly qualified CISO, provide security training for key personnel, and ensure security controls and policies in areas like identity and access, monitoring, and incident response.\n\n10. Capital One: $190 million\n\nIn December 2021, Capital One agreed to pay $190 million to settle a class-action lawsuit filed against it by U.S. customers over a 2019 data breach that affected 100 million people. This settlement comes more than a year after the U.S. Office of the Comptroller of the Currency fined Capital One $80 million for the same breach (see below).\n\nA software engineer at AWS was behind the attack, which exposed information including bank account details. \u201cWhile Capital One and AWS deny all liability, in the interest of avoiding the time, expense and uncertainty of continued litigation, plaintiffs and Capital One have executed a term sheet containing the essential terms of a class settlement that, if approved by this court, will fully resolve all claims brought by plaintiffs,\u201d a filing with the U.S. District Court for the Eastern District of Virginia read. In an emailed statement, Capital One said that key facts in the case had not changed since it announced the event in coordination with federal authorities more than two years ago, with the hacker arrested and the stolen data recovered before it could be disseminated or used for fraudulent purposes. \u201cWe are pleased to have reached an agreement that will resolve the consumer class litigation in the U.S.,\u201d the company added.\n\n11. Uber: $148 million\n\nIn 2016 ride-hailing app Uber had 600,000 driver and 57 million user accounts breached. Instead of reporting the incident, the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million in 2018 \u2014 the biggest data-breach fine in history at the time \u2014 for violation of state data breach notification laws.\n\n12. Morgan Stanley: $120 million (total)\n\nIn January 2022, investment bank and financial services giant Morgan Stanley agreed to pay $60 million to settle a legal claim relating to its data security. The agreement, if approved by a federal judge in Manhattan, will resolve a class-action lawsuit was that filed against the company in July 2020 regarding two security breaches that compromised the personal data of approximately 15 million customers. According to claimants, Morgan Stanley failed to protect the personally identifiable information (PII) of current and former clients. It is alleged data center equipment decommissioned by the firm in 2016 and 2019 was not efficiently wiped clean and a software flaw meant that unencrypted, sensitive data was visible to whoever purchased the equipment.\n\nThe proposed claim settlement comes more than a year after Morgan Stanley was handed a separate $60 million civil penalty by the Office of the Comptroller of the Currency (OCC) in relation to the same incidents. The OCC stated that Morgan Stanley failed \u201cto exercise proper oversight of the 2016 decommissioning of two Wealth Management business data centers located in the U.S. Among other things, the banks failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.\u201d In 2019, the banks experienced similar vendor management control deficiencies in connection with decommissioning other network devices that also stored customer data, the OCC added.\n\nIn a statement on the recent settlement agreement, Morgan Stanley said: \u201cWe have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation.\u201d\n\n13. Google Ireland: 102 million\n\nGoogle Ireland was hit by a \u20ac90 million ($102 million) fine by French data protection authority the CNIL on January 6, 2022. The fine related to how Google\u2019s European arm implements cookie consent procedures on YouTube. \u201cThe CNIL has received many complaints about the way cookies can be refused on the websites google.fr and youtube.com,\u201d it wrote. \u201cIn June 2021, the CNIL carried out an online investigation on these websites and found that, while they offer a button allowing immediate acceptance of cookies, the sites do not implement an equivalent solution (button or other) enabling the user to refuse the deposit of cookies equally easily. Several clicks are required to refuse all cookies, against a single one to accept them.\u201d The restricted committee considered that this process affected the freedom of consent of internet users and constituted an infringement of Article 82 of the French Data Protection Act.\n\nEditor's note: This article, originally published in July 2019, is frequently updated as new information on incident penalties becomes available.