51 Biggest Data Breach Fines, Penalties and Settlements so Far

Experts at Ponemon Institute reveal that the average cost of a data breach will reach around $5 million in 2023. This is a hike when compared to $ 4.35 million in 2022 and $4.24 million in 2021. With the frequency and severity of data breaches on the rise, businesses must prioritize data security to avoid hefty fines and penalties.

Human error, insider threats, and cyberattacks are the most common causes of data breaches. Regulatory bodies such as the Information Commissioner’s Office (ICO) in the UK and the Department of Health and Human Services (HHS) in the US, GDPR, HIPAA, and ISO are imposing significant fines and penalties on businesses that experience data breaches. 

51 Biggest Data Breach Fines and Penalties at a Glance

This section provides a brief overview of data breach fines and data breach penalties imposed globally.

Sr no.	Name of Company	Amount of fine	Imposing Authority
1	Didi Global	$1.2 billion	Chinese Government
2	Facebook	$725 million	FTC
3	Amazon	$886 million	Luxembourg National Commission for Data Protection
4	Equifax	$700 million	FTC
5	Epic Games	$520 million	Violating COPPA
6	T-Mobile	$500 million	Lawsuit
7	Home Depot	Ongoing Lawsuit
8	Capital One	$80 million	OCC
9	Google	$170 million	Violating COPPA
10	Twitter	$150 million	FTC
11	Uber	$148 million	Delay in reporting a data breach
12	Morgan Stanley	$150 million	SEC
13	Anthem	$115 million
14	Cafe Press	$500,000	FTC
15	Zoetis	$1.9 million
16	Health Net	$250,000	GDPR
17	eBay	$7.2 million	GDPR
18	Yahoo	$35million	Multiple regulatory bodies
19	LinkedIn	$3 million	Dutch Data Protection Authority
20	Target	$18.5 million	47 US states
21	Marriott International	$23.8 million	GDPR
22	Premera Blue Cross	$10 million	Multiple regulatory agencies
23	British Airways	$230 million	ICO, UK
24	Advocate Health	$5.5 million	HIPAA
25	Aetna	$1.15 million	HIPAA
26	Anthem	$115 million	HIPAA
27	Cathay Pacific	$644,000	Hong Kong Privacy Commissioner
28	Fresenius	$3.5 million	HIPAA
29	The University of Rochester Medical Center	$3 million	HHS
30	Massachusetts Eye and Ear Infirmary	$1.5 million	HIPAA
31	CVS Health	$2.25 million	HIPAA
32	MD Anderson Cancer Center	$4.3 million	HIPAA
33	Athens Orthopedic Clinic	$1.5 million	HIPAA
34	Cottage Health	$3 million	HIPAA
35	Austrian Post	€18 million	GDPR
36	Oregon Health & Science University	$2.7 million	HIPAA
37	Parkview Health	$800,000	HIPAA
38	LifeSpan Health	$1.5 million	HIPAA
39	21st Century Oncology	$2.3 million	HIPAA
40	REWE International	$33 million	GDPR
41	Dutch Tax and Customs Administration	$800,000	GDPR
42	Boston Medical Center	$100,000	HIPAA
43	Cosmote Telecom	$5.1 million	GDPR
44	Excellus Health Plan	$380.5 million	HIPAA
45	Dixons Carphone	£500,000	Information Commissioner’s Office (ICO)
46	Google	$1.7 billion	European Union
47	National Revenue Agency (Bulgaria)	unconfirmed	unconfirmed
48	Enel Energia	€11.5 million	Italian data protection authority
49	BBVA	€5 million	Spanish Data Protection Agency
50	Columbia University Medical Center	$9.5 million	HIPAA
51	ENI	€5 million	Italian Data Protection Authority

1. Didi Global

In July 2021, the Chinese ride-hailing giant, Didi Global was fined $1.2 billion in a data breach lawsuit by the Chinese government for violating data privacy laws.

Cause of violation 

The company was accused of collecting and using personal data without consent and failing to protect user information from cyberattacks. The data breach occurred when Didi’s databases were hacked in May and June of 2021, compromising the personal information of millions of users, including names, phone numbers, and addresses.

How could it be avoided?

• Didi could have avoided penalization by implementing stronger data protection measures.
• Stronger measures could have included encryption, multi-factor authentication, and regular security audits.
• User data should not be used without explicit consent.
• Protocols for quickly detecting and responding to cyberattacks could minimize the impact of data breaches.

2. Facebook

In July 2019, Facebook was fined $725 million by the Federal Trade Commission (FTC) for failing to protect user data and engaging in deceptive practices.

Cause of violation 

The data breach occurred when Cambridge Analytica, a political consulting firm, obtained data from millions of Facebook users without their consent. Facebook was accused of failing to adequately protect user data and failing to disclose to users how their data was being used. Additionally, Facebook was accused of engaging in deceptive practices by misleading users about the amount of control they had over their data.

How could it be avoided?

• Restrict third-party access to user data.
• Provide users with more transparency and control over their data.

3. Amazon

In July 2021, Amazon was fined $886 million by the Luxembourg National Commission for Data Protection for a compliance breach violating the EU’s General Data Protection Regulation (GDPR).

Cause of violation 

Amazon was accused of processing personal data in violation of GDPR, specifically regarding its targeted advertising practices. The company was found to be collecting data on users’ online activities, including searches and purchases, and using that data to display targeted ads without users’ consent.

How could it be avoided?

• Be transparent with users about data collection and processing practices.
• Obtain explicit consent before collecting and using personal data for targeted advertising.
• Implement stronger data protection measures to securely store and protect user data from unauthorized access.

4. Equifax

In July 2019, Equifax was fined $700 million by the Federal Trade Commission (FTC) for failing to protect user data.

Cause of violation 

The data breach occurred in 2017 when Equifax’s databases were hacked, exposing the personal information of over 143 million Americans. The company was accused of failing to implement adequate data security measures, including failure to patch a known vulnerability in its systems.

How could it be avoided? 

• Implement stronger data protection measures, such as regular security audits, encryption, and multi-factor authentication.
• Ensure that all known vulnerabilities in systems are patched in a timely manner to prevent data breaches.

5. Epic Games

In February 2019, Epic Games was fined $520 million by the Federal Trade Commission (FTC) for violating the Children’s Online Privacy Protection Act (COPPA).

Cause of violation 

The company was accused of collecting personal information, including names and email addresses, from minors without obtaining parental consent. The FTC also alleged that Epic Games failed to adequately protect the personal information of its users, resulting in a data breach in 2018.

How could it be avoided?

• Implement stronger data protection measures to safeguard personal information.
• Obtain explicit parental consent before collecting personal information from minors.
• Implement protocols to quickly detect and respond to cyberattacks to prevent data breaches.

6. T-Mobile

In August 2021, T-Mobile faced a lawsuit seeking a data breach settlement for damages of over $500 million after a data breach compromised the personal information of over 50 million customers.

Cause of violation 

The data breach occurred when hackers gained access to T-Mobile’s servers, exposing personal data including names, phone numbers, and Social Security numbers. The company was accused of failing to adequately protect user data and respond to the breach in a timely manner.

How could it be avoided?

• Implement stronger data protection measures such as encryption, multi-factor authentication, and regular security audits.
• Respond to the breach in a timely and transparent manner.
• Notify customers of the breach and offer identity theft protection services.

7. Home Depot

In 2014, Home Depot faced a data breach lawsuit after a data breach compromised the personal information of over 50 million customers.

Cause of violation 

The data breach occurred when hackers gained access to Home Depot’s payment systems, stealing credit and debit card information from customers. The company was accused of failing to adequately protect user data and respond to the breach in a timely manner.

How could it be avoided?

• Implement stronger data protection measures, such as encryption, multi-factor authentication, and regular security audits.
• Respond to the breach in a timely and transparent manner.
• Notify customers of the breach and offer identity theft protection services.

8. Capital One

In 2019, Capital One was fined $80 million by the Office of the Comptroller of the Currency (OCC) after a data breach exposed the personal information of over 100 million customers.

Cause of violation 

The data breach occurred when a hacker gained access to Capital One’s cloud-based storage, stealing credit card applications, Social Security numbers, and other personal information. The company was accused of failing to adequately protect user data and respond to the breach in a timely manner.

How could it be avoided?

• Strengthen data protection measures such as encryption, multi-factor authentication, and regular security audits.
• Respond to breaches transparently and promptly.
• Notify customers of the breach and offer identity theft protection services.

9. Google

In 2019, Google was fined $170 million by the Federal Trade Commission (FTC) for violating the Children’s Online Privacy Protection Act (COPPA).

Cause of violation 

The company was accused of collecting personal information from children without parental consent on its YouTube platform, and using that information to serve targeted advertisements.

How could it be avoided?

• Implement better age verification systems and obtain parental consent before collecting personal information from children.
• Improve data protection practices and implement regular security audits.
• Ensure that user data is adequately protected.

10. Twitter

In 2020, Twitter was fined $150 million by the FTC for violating data privacy laws.

Cause of violation 

The company was accused of using phone numbers and email addresses collected for security purposes for targeted advertising, and failing to adequately protect user data from unauthorized access.

How could it be avoided? 

• Implement stronger data protection measures, such as encryption and multi-factor authentication.
• Regularly audit security practices.
• Ensure that user data is not used for unintended purposes without explicit consent.

11. Uber

In 2018, Uber agreed to pay a cyber attack settlement of $148 million to settle allegations of covering up a data breach that occurred in 2016 and affected over 57 million users and drivers.

Cause of violation 

The company was accused of failing to disclose the breach in a timely manner and paying hackers $100,000 to delete the stolen data and keep the breach quiet.

How could it be avoided? 

• Promptly disclose the breach to authorities and affected users.
• Implement stronger data protection measures, such as encryption, and conduct regular security audits.
• Establish protocols for detecting and responding to breaches to prevent similar incidents from occurring.

12. Morgan Stanley

In 2021, Morgan Stanley agreed to pay $150 million to the Securities and Exchange Commission (SEC) for failing to adequately protect customer data during a data breach that occurred in 2019.

Cause of violation 

The company was accused of failing to adequately monitor its employees’ access to confidential customer data and allowing an employee to access and copy such data without authorization.

How could it be avoided? 

• Implementing stricter access controls and monitoring systems to prevent unauthorized access to customer data. 
• Improving its data protection practices.
  Conducting regular security audits to detect and address vulnerabilities.

13. Anthem

In 2018, Anthem, one of the largest health insurance companies in the United States, agreed to pay $115 million to settle allegations related to a data breach that occurred in 2015.

Cause of violation 

The company was accused of failing to adequately protect customer data and allowing hackers to gain access to sensitive information, including names, birth dates, Social Security numbers, and medical identification numbers.

How could it be avoided? 

• Implementing stronger data protection measures, such as encryption and multi-factor authentication.
• Testing its security systems for vulnerabilities regularly. 
• Establishing protocols for detecting and responding to breaches to prevent similar incidents from occurring.

14. CafePress

In 2019, CafePress, an online retailer of personalized products, agreed to pay $500,000 to settle allegations that it failed to adequately protect customer data.

Cause of violation 

The company was accused of failing to properly secure its computer network, which resulted in a data breach that exposed the personal information of millions of customers, including names, email addresses, and passwords.

How could it be avoided? 

• Implementing stronger security protocols
• Regular pentesting

15. Zoetis

In 2021, Zoetis, a global animal health company, agreed to pay $1.9 million to settle allegations that it failed to adequately protect customer data.

Cause of violation 

The company was accused of failing to implement adequate security measures and allowing a cyberattack to occur that resulted in the theft of sensitive business information.

How could it be avoided?

• Implementing stronger security protocols
• Regular vulnerability assessment and pentesting 

16. Health Net – $250,000 HIPAA

In 2009, Health Net suffered a data breach in which nine server drives containing personal and medical information of 1.9 million policyholders were lost.

Cause of violation 

Health Net failed to implement appropriate physical, administrative, and technical safeguards to protect patient data, as required by HIPAA regulations. Additionally, the company did not have proper risk management practices in place to identify, prevent, and mitigate potential data breaches.

How could it be avoided?

• Establishing Strong security practices such as encryption and multi-factor authentication to protect patient data. 
• Conducting regular risk assessments and audits to identify and address potential vulnerabilities in their systems.

17. eBay

In 2014, eBay suffered a cyber attack in which hackers gained access to the personal information of 145 million users, including email addresses, dates of birth, and encrypted passwords. The company was fined with $7.2 million.

Cause of violation 

eBay’s security system was not strong enough to prevent the cyber attack, and the company failed to take appropriate measures to protect user data.

How could it be avoided? 

• Better monitoring of systems.
• Vulnerability assessments

18. Yahoo

In 2017, Yahoo was fined $35 million by the SEC for failing to disclose a data breach that occurred in 2014.

Cause of violation 

Yahoo was accused of failing to inform investors about the breach promptly, which involved the theft of the personal data of millions of users, including names, email addresses, dates of birth, and phone numbers.

How could it be avoided?

• Promptly disclosing the breach to the public and the SEC. 
• Implementing measures to prevent future breaches. 
• The company should have also implemented stronger security measures to protect user data.

19. LinkedIn

In 2021, LinkedIn was fined $3 million by the Dutch Data Protection Authority for violating data protection laws.

Cause of violation 

The company was accused of using the email addresses of 18 million non-LinkedIn users to target ads on Facebook without their consent.

How could it be avoided?

• obtaining explicit consent from non-LinkedIn users before using their data for ad targeting purposes. 
• The company could have also implemented more rigorous data protection policies to ensure that user data is not misused.

20. Target

In 2017, Target settled a lawsuit with 47 states for $18.5 million for a data breach that occurred in 2013.

Cause of violation 

The data breach occurred when hackers gained access to Target’s payment system, stealing the credit and debit card information of millions of customers. The breach was caused by a vulnerability in Target’s security system that allowed hackers to exploit the payment system.

How could it be avoided?

• Better security policies could be implemented
• Better incidence response would have helped

21. Marriott International

In 2020, Marriott International was fined $23.8 million by the UK’s Information Commissioner’s Office (ICO) for violating GDPR regulations.

Cause of violation 

The company was accused of failing to conduct proper due diligence when it acquired Starwood Hotels in 2016, which had already experienced a data breach. The breach exposed the personal information of over 339 million guests, including names, addresses, phone numbers, email addresses, passport numbers, and dates of birth.

How could it be avoided?

• Conducting proper due diligence before acquiring Starwood Hotels and implementing stronger security measures to protect customer data. 
• Responding to the breach more quickly and providing more transparent communication to its customers about the incident.

22. Premera Blue Cross

In 2015, Premera Blue Cross, a healthcare company based in the US, was fined $10 million by the US Department of Health and Human Services for a data breach that occurred between 2014 and 2015.

Cause of violation 

The breach exposed the personal information of over 10 million individuals, including names, addresses, Social Security numbers, and health information. The company was found to have failed to implement adequate security measures to protect its systems and detect the breach in time.

How could it be avoided?

• Regular security audits and vulnerability scans. 
• Training employees on proper data handling procedures 
• Establishing a response plan to detect and respond to breaches quickly.

23. British Airways

In 2019, British Airways was fined $230 million by the UK’s Information Commissioner’s Office (ICO) for a data breach that occurred in 2018.

Cause of violation 

The breach exposed the personal information of around 500,000 customers, including names, addresses, payment card details, and travel booking details. The company was found to have failed to implement adequate security measures to protect their systems, detect the breach in a timely manner, and respond appropriately.

How could it be avoided?

• Vulnerability assessments
• Proper training of employees on secure practices
• Finally, ensuring that payment card information is stored in compliance with the Payment Card Industry Data Security Standards (PCI-DSS) 

24. Advocate Health Care Network

In August 2016, Advocate Health Care Network, a nonprofit healthcare system in Illinois, was fined $5.55 million for multiple data breaches that occurred between 2013 and 2014.

Cause of violation

The breaches were caused by the theft of four unencrypted laptops and the unauthorized access of an unencrypted desktop computer containing the electronically protected health information (ePHI) of over four million patients.

How could it be avoided?

• Implementing policies and procedures to secure electronic devices containing sensitive information, such as encryption and password protection. 
• The company could have also conducted regular risk assessments and implemented access controls to restrict unauthorized access to sensitive data.

25. Aetna

In January 2017, Aetna was fined $1.15 million for disclosing the HIV statuses of 12,000 members in a mass mailing.

Cause of violation 

Aetna sent letters to its members regarding the availability of HIV medications that were visible through the envelope window, thereby revealing the members’ HIV status.

How could it be avoided?

• Taking steps to ensure the confidentiality of its members’ medical information 
• Implementing employee training programs to ensure that employees were aware of the importance of protecting sensitive information and the potential consequences of violating privacy laws

26. Anthem

In 2015, Anthem, the second-largest health insurance company in the US, was fined $115 million for a data breach that compromised the personal information of nearly 80 million customers.

Cause of violation 

The breach occurred when cybercriminals gained access to Anthem’s database, compromising sensitive personal information, including names, birth dates, social security numbers, and medical IDs.

How could it be avoided?

Anthem could have avoided the breach by implementing stronger cybersecurity measures, such as multi-factor authentication, data encryption, and regular security audits. 

27. Cathay Pacific

In October 2018, the Hong Kong-based airline, Cathay Pacific, was fined HK$5 million ($644,000) by the Hong Kong Privacy Commissioner for exposing the personal information of 9.4 million passengers.

Cause of violation 

The breach occurred when hackers gained access to Cathay Pacific’s database, compromising sensitive personal information, including names, nationalities, passport numbers, dates of birth, email addresses, and credit card information.

How could it be avoided?

• More secure data storage
• Better security practices
• Regular risk assessments

28. Fresenius

In 2019, Fresenius Medical Care North America (FMCNA), one of the world’s largest providers of dialysis products and services, agreed to pay $3.5 million to settle allegations that it failed to adequately safeguard patients’ electronically protected health information (ePHI) and violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Cause of violation 

An investigation by the Department of Health and Human Services Office for Civil Rights (OCR) found that FMCNA had failed to implement appropriate safeguards to protect ePHI, including failing to conduct risk analyses, implement risk management plans, encrypt ePHI, and address known security deficiencies.

How could it be avoided?

• Implementing effective security measures
• Regular resik assessments

29. The University of Rochester Medical Center

In February 2021, the University of Rochester Medical Center (URMC) agreed to pay $3 million to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

Cause of violation 

The OCR’s investigation found that URMC had potentially violated HIPAA’s Security and Privacy Rules between 2013 and 2017. The potential violations related to the failure to conduct an accurate and thorough risk analysis, failure to implement sufficient risk management measures, and failure to implement procedures to regularly review records of information system activity.

How could it be avoided?

• Conducting a thorough and accurate risk analysis 
• Implementing appropriate risk management measures 
• Regularly reviewing records of information system activity 

Additionally, URMC could have ensured that its policies and procedures were in compliance with HIPAA’s Security and Privacy Rules and trained its workforce on HIPAA compliance.

30. Massachusetts Eye and Ear Infirmary

In 2019, Massachusetts Eye and Ear Infirmary was fined $1.5 million by the U.S. Department of Health and Human Services for violating the Health Insurance Portability and Accountability Act (HIPAA).

Cause of violation 

The hospital violated HIPAA rules by allowing employees to use a file-sharing app on their smartphones that stored electronic patient data without proper safeguards. This led to the exposure of the personal health information (PHI) of over 3,500 patients, including names, addresses, dates of birth, and medical diagnoses.

How could it be avoided?

• Implementing strict policies that prohibit the use of unauthorized file-sharing apps 
• Providing employees with secure tools for accessing patient data. 
• Additionally, the hospital could have conducted regular security risk assessments to identify and address potential vulnerabilities in their systems and processes.

31. CVS Health

In 2019, CVS Health was fined $2.25 million by the U.S. Department of Health and Human Services for violating HIPAA rules.

Cause of violation 

The company failed to properly dispose of patient data, including prescription labels, that were found in the trash outside of several CVS pharmacy locations. This exposed the PHI of over 6,000 patients, including names, addresses, medication types, and prescription numbers.

How could it be avoided?

• Implementing proper policies and procedures for the disposal of patient data 
• Training employees on how to properly handle sensitive information. 
• The company could have also conducted regular audits to ensure compliance with HIPAA regulations and identified any potential gaps in its data privacy practices.

32. MD Anderson Cancer Center

In February 2018, the US Department of Health and Human Services’ Office for Civil Rights (OCR) fined MD Anderson Cancer Center $4.3 million for violating HIPAA rules.

Cause of violation 

The data breach occurred when an unencrypted laptop belonging to an 

MD Anderson Cancer Center employee was stolen from their residence. The laptop contained electronic protected health information (ePHI) of over 33,500 patients, including names, addresses, Social Security numbers, and medical information.

How could it be avoided?

• Implementing policies and procedures to ensure that ePHI is safeguarded in all mediums, including portable devices such as laptops. 
• Additionally, the center could have ensured that all portable devices containing ePHI are encrypted and secure at all times.

33. Athens Orthopedic Clinic

In June 2016, Athens Orthopedic Clinic paid $1.5 million to settle a class-action lawsuit related to a data breach.

Cause of violation 

The data breach occurred when a hacker gained access to the clinic’s computer systems, compromising the personal and medical information of over 200,000 patients. The stolen information included names, addresses, dates of birth, Social Security numbers, and medical diagnoses.

How could it be avoided?

Implementing stronger cybersecurity measures, such as firewalls, intrusion detection systems, and security information and event management (SIEM) systems, to protect their computer systems.

34. Cottage Health

In December 2013, Cottage Health agreed to a $4.125 million settlement after a data breach exposed the confidential medical information of approximately 50,000 patients.

Cause of Violation 

The data breach occurred when Cottage Health failed to replace a server that was vulnerable to hacking, leaving the sensitive data of thousands of patients exposed for almost three months.

How could it be avoided? 

Cottage Health could have taken more proactive measures to secure their data, including regular security audits and addressing vulnerabilities as soon as they were identified.

35. Austrian Post

In 2019, Austrian Post was fined €18 million by the Austrian Data Protection Authority for violating the European Union’s General Data Protection Regulation (GDPR).

Cause of violation 

The company was found to have collected and processed personal data, including political affiliations and religious beliefs, without the explicit consent of its customers. Additionally, the company failed to provide customers with clear information about the collection and processing of their personal data.

How could it be avoided?

• Ensuring that its data collection and processing practices were GDPR-compliant. 
• Obtaining explicit consent from customers for the collection and processing of their personal data and providing clear and concise information about these practices. 
• Regular privacy impact assessments could have been conducted to identify and mitigate any potential privacy risks.

36. Oregon Health & Science University (OHSU)

In 2021, OHSU agreed to pay $2.7 million to the U.S. Department of Health and Human Services to settle potential violations of HIPAA.

Cause of violation 

The breach occurred when an unencrypted laptop containing the electronic protected health information (ePHI) of over 3,000 individuals was stolen from an OHSU employee’s vehicle.

How could it be avoided?

• Protecting all ePHI-enabled devices.
• Developing policies and procedures for device encryption, and providing ongoing workforce training on HIPAA privacy and security. 
• OHSU could have ensured that its workforce members were fully aware of the risks associated with using portable electronic devices containing ePHI outside of OHSU’s facilities.

37. Parkview Health

In 2019, Parkview Health agreed to pay $800,000 to the HHS Office for Civil Rights to settle potential violations of HIPAA.

Cause of violation

The breach occurred when a retiring physician left 71 cardboard boxes of patient medical records unattended in the physician’s driveway, which were later picked up by an individual who sold them to a data-matching service.

How could it be avoided?

• Implementing appropriate policies and procedures for the disposal of paper records containing PHI
• Ensuring that its workforce members were fully aware of the risks associated with leaving patient records unattended

38. LifeSpan Health

In 2018, LifeSpan Health, a healthcare provider in Rhode Island, was fined $1.04 million for a data breach that exposed the personal information of over 20,000 patients.

Cause of violation 

The breach occurred when an unencrypted laptop was stolen from an employee’s car. The laptop contained the personal information of patients, including names, addresses, dates of birth, and social security numbers.

How could it be avoided?

• Implementing stronger data encryption policies and ensuring that all sensitive data is encrypted, especially when stored on portable devices 
• Stricter security protocols, such as multi-factor authentication and monitoring access to sensitive data

39. 21st Century Oncology

In 2016, 21st Century Oncology, a Florida-based cancer treatment center, agreed to pay $2.3 million to settle a lawsuit alleging that the company failed to protect patient data from cyberattacks.

Cause of violation 

The company was hacked by an unauthorized user who gained access to sensitive patient information, including social security numbers, diagnoses, and treatments. The breach affected approximately 2.2 million patients across 21st Century Oncology’s network of over 200 treatment centers.

How could it be avoided?

• Regular security audits 
• Network monitoring 
• Employee training on cybersecurity best practices.
• Encrypting sensitive data with access limited to only those who needed it for their job functions

40. REWE International

In February 2020, the Austrian grocery chain was fined €30 million ($33 million) for violating General Data Protection Regulation (GDPR) by installing surveillance cameras in their stores that monitored employees excessively.

Cause of violation 

The company was accused of collecting employee data without sufficient cause or justification, and also of processing sensitive personal data without appropriate consent. This included monitoring break times, bathroom visits, and medical information.

How could it be avoided? 

• Obtaining explicit consent from employees for the use of their data and only collecting data that was necessary and proportionate to the purpose. 
• Conducting a privacy impact assessment before installing the cameras to ensure they complied with GDPR requirements

41. Dutch Tax and Customs Administration

In January 2020, the Dutch Tax and Customs Administration was fined €725,000 ($800,000) for violating GDPR by not adequately securing their online portal, leading to a data breach that exposed the personal information of millions of Dutch citizens.

Cause of violation

The breach occurred due to a vulnerability in the online portal that was discovered by an ethical hacker who reported it to the authorities. The vulnerability allowed unauthorized access to sensitive personal data such as social security numbers, dates of birth, and bank account details.

How could it be avoided? 

• Implementing stronger security measures to protect the portal, such as multi-factor authentication, regular security audits, and encryption of sensitive data. 
• The agency could have responded more promptly to the ethical hacker’s report and taken action to address the vulnerability.

42. Boston Medical Center

In 2019, Boston Medical Center agreed to pay a $100,000 settlement to the U.S. Department of Health and Human Services Office for Civil Rights for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The settlement followed an investigation into unauthorized access to patient information by employees of BMC’s subcontractor.

Cause of violation

The hospital was notified of the breach by its email provider, which found evidence of unauthorized access to the accounts. The email accounts contained patients’ names, dates of birth, medical record numbers, and health insurance information.

How could it be avoided?

• Stricter security protocols
• Employee training
• Encryption of data

43. Cosmote Mobile Telecom

In July 2021, Cosmote Mobile Telecom, a subsidiary of the Hellenic Telecommunications Organization (OTE), was fined €8 million ($9.5 million) by the Greek Data Protection Authority for violating the General Data Protection Regulation (GDPR).

Cause of violation 

The breach occurred due to a vulnerability in an older version of a third-party application that the company was using. The exposed data included customers’ names, home addresses, email addresses, and phone numbers.

How could it be avoided?

• Regularly updating all systems and applications to ensure that they are secure and up-to-date 
• Regular security audits and stronger access controls to prevent unauthorized access to sensitive customer data

44. Excellus Health Plan

In 2015, Excellus Health Plan suffered a data breach that affected 10 million individuals. The company was fined $5.1 million by the US Department of Health and Human Services (HHS) for violating the Health Insurance Portability and Accountability Act (HIPAA).

Cause of violation 

The breach occurred due to a series of cyberattacks between December 2013 and May 2015. The attackers gained access to Excellus’ IT systems, which contained sensitive personal information such as names, dates of birth, Social Security numbers, addresses, phone numbers, and insurance identification numbers.

How could it be avoided?

Stronger security measures such as network segmentation, access control, and regular security audits. 

Regular cyber security training for 

45. Dixons Carphone

In January 2018, Dixons Carphone, a UK-based electronics retailer, suffered a massive data breach that exposed the personal and financial information of over 10 million customers.

Cause of violation 

The company was criticized for failing to implement sufficient security measures and not detecting the breach for nearly a year. The exposed data included names, addresses, phone numbers, dates of birth, and email addresses. Additionally, 5.9 million customers had their payment card details exposed.

How could it be avoided?

To prevent such data breaches, Dixons Carphone could have implemented stronger security measures, such as multi-factor authentication, encryption, and firewalls. Regular security audits could have also helped the company detect the breach sooner, minimizing the damage.

46. Google

In March 2019, Google was fined $1.7 billion by the European Union for violating antitrust laws by abusing its dominant position in online advertising.

Cause of violation 

The EU accused Google of requiring websites to exclusively use its advertising services, thereby preventing its rivals from competing fairly. The company’s actions were deemed anti-competitive and harmed both consumers and competitors.

How could it be avoided?

• Google could have avoided the EU fine by refraining from anti-competitive practices
• The company could have allowed for fair competition in the online advertising market
• Google could have cooperated with the EU’s investigation
• The company could have worked to find a solution that satisfied all parties involved.

47. National Revenue Agency (Bulgaria)

In July 2019, the Bulgarian National Revenue Agency suffered a cyberattack, resulting in the personal data of almost every Bulgarian citizen being stolen, as well as the records of many businesses.

Cause of violation 

The cyberattack was caused by a vulnerability in the software used by the agency, which allowed the attackers to gain access to the agency’s systems. The stolen data included names, addresses, social security numbers, and other personal information.

How could it be avoided? 

• Implement stronger security measures, including regular vulnerability assessments and penetration testing.
• Ensure that all software used is up-to-date and secure.

48. Enel Energia

In March 2017, the Italian energy company Enel Energia was fined €11.5 million by the Italian data protection authority for multiple data protection violations.

Cause of violation 

Enel Energia was found to have violated several data protection regulations, including failing to obtain proper consent for processing personal data and not providing adequate information to customers about data processing activities.

How could it be avoided? 

• Implement proper consent procedures and provide clear information to customers about how their data will be processed.
• Ensure that data protection regulations are being followed across all systems and processes.

49. BBVA

In December 2020, BBVA was fined €5 million (approximately $6 million) by the Spanish Data Protection Agency (AEPD) for violating data protection regulations.

Cause of violation 

The bank was found to have processed the personal data of its employees in breach of the General Data Protection Regulation (GDPR). Specifically, BBVA was found to have conducted unlawful monitoring of employees, by using cameras and tracking devices, without providing adequate information and obtaining valid consent.

How could it be avoided?

• Ensure that valid consent is obtained from employees for any monitoring activities and provide clear information about the purpose of such monitoring.
• Implement appropriate security measures to protect employee data, such as encryption, access controls, and regular security audits.

50. Columbia University Medical Center

In June 2019, Columbia University Medical Center agreed to pay $9.5 million to settle allegations of HIPAA violations.

Cause of violation 

The medical center was found to have violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to secure thousands of patients’ electronically protected health information (ePHI). The violation was discovered after the medical center reported a data breach in 2010, which affected approximately 6,800 patients.

How could it be avoided?

• Implement appropriate technical and administrative safeguards to protect ePHI, such as access controls, encryption, and regular security risk assessments.
• Ensure that the workforce receives regular HIPAA training.
• Have policies and procedures in place for responding to and reporting data breaches.

51. ENI

In 2010, the Italian energy company ENI was fined €5 million by the Italian data protection authority (Garante per la protezione dei dati personali) for violating data protection laws.

Cause of violation 

ENI was accused of violating data protection regulations by failing to ensure adequate security measures to protect personal data, including the sensitive data of its employees, which was accessed by unauthorized individuals. The data breach occurred when hackers gained access to the company’s servers and stole confidential employee information, including bank account details and social security numbers.

How could it be avoided? 

• Implement stronger data protection measures, such as encryption, multi-factor authentication, and regular security audits.
• Ensure access to sensitive data is restricted to authorized personnel only.
• Implement protocols to quickly detect and respond to cyberattacks.

Conclusion

The staggering financial penalties and reputational damage incurred by companies as a result of data breaches serve as a stark reminder of the importance of robust cybersecurity measures. 

Data breaches not only compromise the privacy and security of individuals but also have significant financial and legal consequences for the companies involved. As the world becomes increasingly digital and interconnected, the risks of data breaches are only set to increase.

In light of this, companies must take proactive steps to safeguard their networks and user data. 

This includes investing in strong encryption, multi-factor authentication, and regular security audits, as well as ensuring that employees are well-trained on data privacy and security best practices. Companies should also implement protocols to quickly detect and respond to cyberattacks, and be transparent with their customers in the event of a data breach.