The huge fines imposed on data breaches by multiple companies in 2019 indicate that regulators are becoming less tolerant of organizations that fail to properly protect consumer data. In the UK, British Airways suffered a record fine of $ 230 million, followed closely by a fine of $124 million against Marriott. In the United States, Equifax agreed to pay at least $ 575 million for its 2017 violations.
We observe the top 5 list of fines for data breaches below, it should be clear that the amount of these fines is only a small part of the overall cost of corporate data breaches.
- Equifax: Above $575 million
In 2017, Equifax lost nearly 150 million personal and financial information due to a database that did not install a serious vulnerability patch for the Apache Struts framework in a timely manner.
In July 2019, Equifax agreed to pay the US $ 575 million to the Federal Trade Commission, the Consumer Financial Protection Agency (CFPB), and all 50 states and territories in the United States for the company’s “accident”, which may increase to the US $ 700 million. And promise to take reasonable measures to protect its network.
- British Airways: $230 million
When everyone thought that the deterrent power of the GDPR would gradually disappear, British Airways received a record fine of 183 million pounds (about 230 million US dollars), the highest data breach fine to date, surpassing Uber in 2018. According to an ICO investigation, British Airways’ data breach resulted from poor security management and negligent security audits of third-party vendor scripts. Obviously, GDPR has become one of the main driving forces for improving security to the agenda of board meetings.
- Uber: $148 million
In 2016, ride-hailing platform Uber leaked account information of 600,000 drivers and 57 million users. The company did not disclose the incident but paid the perpetrators $ 100,000 in an attempt to hide the truth. However, these actions cost the company a heavy price. The company was fined $ 148 million for violating state data breach notification laws in 2018, the largest data breach fine in history at the time.
- Marriott International: $124 million
A few days after a record fine on British Airways, the ICO again imposed a second huge fine on Marriott International for a data breach. Marriott International was fined £ 99 million (about $ 124 million) after payment information, names, addresses, phone numbers, email addresses and passport numbers of up to 500 million customers were leaked. According to the ICO statement, Marriott “has not performed adequate due diligence when acquiring Starwood, and lacked information security work.” The hotel chain was also punished by the Turkish Data Protection Agency (not under GDPR legislation) for 1.5 million lire (about 265,000) U.S. dollars, which underscores that one violation can lead to multiple fines worldwide.
- Yahoo: $85 million
In 2013, Yahoo caused a large-scale data breach due to a security breach, affecting approximately 3 billion accounts. However, the company has not disclosed this information for three years.In April 2018, the US Securities and Exchange Commission (SEC) imposed a $ 35 million fine on Yahoo for failing to disclose violations.