Sizable fines assessed for data breaches since 2019 suggest that regulators are getting more serious about organizations that don’t properly protect consumer data. Marriott was hit with a $124 million fine, later reduced, while Equifax agreed to pay a minimum of $575 million for its 2017 breach.
This comes after an active 2018. Uber’s poor handling of its 2016 breach cost it close to $150 million. Weakly protected and heavily regulated health data cost medical facilities big that year, too, resulting in the US Department of Health and Human Services collecting increasingly large fines.
Equifax: (At least) $575 Million
2017 saw Equifax lose the personal and financial information of nearly 150 million people due to an unpatched Apache Struts framework in one of its databases. The company had failed to fix a critical vulnerability months after a patch had been issued and then failed to inform the public of the breach for weeks after it been discovered.
In July 2019 the credit agency agreed to pay $575 million — potentially rising to $700 million — in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories over the company’s “failure to take reasonable steps to secure its network.”
$300 million of that will go to a fund providing affected consumers with credit monitoring services (another $125 million will be added if the initial payment is not enough to compensate consumers), $175 million will go to 48 states, the District of Columbia and Puerto Rico, and $100 million will go to the CFPB. The settlement also requires the company to obtain third-party assessments of its information security program every two years.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.”
Equifax had already been fined £500,000 [~$625,000] in the UK for the 2017 breach, which was the maximum fine allowed under the pre-GDPR Data Protection Act 1998.
In 2020, Equifax was made to pay further settlements relating to the breach: $7.75 million (plus $2 million in legal fees) to financial institutions in the US plus $18.2 million and $19.5 million to the states of Massachusetts and Indiana respectively.
Home Depot: ~$200 million
In 2014 Home Depot was involved in one of the largest data breaches to date involving a point-of-sale (POS) system, leading to a number of fines and settlements being paid. Stolen credentials from a third party enabled attackers to enter Home Depot’s network, elevate privileges, and eventually compromise the POS system. More than 50 million credit card numbers and 53 million email addresses were stolen over a five-month period between April and September 2014.
Home Depot has reportedly paid out at least $134.5 million to credit card companies and banks as a result of the breach. In addition, in 2016 Home Depot agreed to pay $19.5 million to customers that had been affected by the breach, which included the cost of credit monitoring services to breach victims. In 2017 the firm agreed to pay an additional $25 million to the financial institutions affected by the breach that could be claimed by victims and cover banks’ losses.
Breaches can have a longtail of costs, especially when it comes to fines and settlements. In November 2020, the retailer paid a further $17.5 million settlement to 46 US states and Washington DC for the breach. The agreement also compels Home Depot to employ a highly qualified CISO, provide security training for key personnel, and ensure security controls and policies in areas like identity and access, monitoring, and incident response.
Uber: $148 million
In 2016 ride-hailing app Uber had 600,000 driver and 57 million user accounts breached. Instead of reporting the incident, the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million in 2018 — the biggest data-breach fine in history at the time — for violation of state data breach notification laws.
Yahoo: $85 million
In 2013 Yahoo suffered a massive security breach that affected its entire database, about 3 billion accounts — almost the entire population of the web. The company, however, didn’t disclose this information for three years.
In April 2018, the U.S. Securities and Exchange Commission (SEC) fined the company $35 million for failing to disclose the breach. In September, Yahoo’s new owner Altaba admitted that it had settled a class action lawsuit resulting from the breach to the tune of $50 million.
A total bill of $85 million for 3 billion accounts works out to around $36 per record.
Capital One: $80 million
In 2019 Captial One bank suffered a breach affecting 100 million people in the US and 6 million in Canada. The company said an “outside individual” – later identified as former Amazon Web Services software engineer Paige Thompson – had obtained personal information of Capital One credit card customers and people who had applied for credit card products via a configuration vulnerability in the company’s web application firewall.
Information taken included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, self-reported income as well as credit scores, credit limits, balances, payment history, contact information, fragments of transaction data, some Social Security numbers and some bank account numbers.
The Office of the Comptroller of the Currency fined Capital One $80 million for “failure to establish effective risk assessment processes” when migrating operations to public cloud environment as well as a “failure to correct the deficiencies in a timely manner.”
Morgan Stanley: $60 million
While it didn’t suffer a breach, failure to conduct robust hardware decommissioning processes cost Morgan Stanley after it failed to adhere to expectations from the regulator. In October 2020 the US Office of the Comptroller of the Currency (OCC) fined the bank $60 million for failing to properly decommission hardware containing wealth management data from two of its US data centers in 2016.
According to the OCC, the bank “failed to exercise proper oversight” of the decommissioning of the centers. Issues listed include failure to effectively assess or address the risks associated with the decommissioning of its hardware, lack of risk assessment and due diligence around using third-party vendors or monitor vendor performance, and failure to maintain an appropriate inventory of customer data stored on the devices.
The OCC said the bank suffered similar vendor management control deficiencies in 2019 around the decommissioning of wide-area application services devices, but acknowledged Morgan Stanley has since undertaken corrective actions and is “committed” to taking necessary and appropriate steps to remedy the deficiencies.
While Morgan Stanley has made a statement saying it does not believe that client information has been accessed or misused as a result of its previous practices, the company is also facing a $5 million data breach suit around these failures.
British Airways: $26.2 million
Despite all threats and scare-mongering about the potential size of fines, the first 12 months of the EU’s General Data Protection Regulation (GDPR) had relatively little in the way of punitive action. Fines issued by data protection firms across mainland Europe that related to data breaches had been in the tens or low hundreds of thousands of euros and were in line with the kinds of finds companies were receiving under prior regulations. That quickly changed after British Airways (BA) was fined a record £183 million [~$230 million] after the airline was fined by the UK’s data protection authority, the ICO, after the Magecart group used card-skimming scripts to harvest the personal and payment data of up to 500,00 customers over a two-week period.
The ICO said its investigation found “poor security arrangements at the company” led to the breach. The BA fine shows that the regulation does have real teeth and the data protection authorities aren’t afraid to exercises their powers. Given that the GDPR has been one of the main drivers for pushing security higher up the agenda with boards, this will give CSOs and privacy/compliance offers renewed impetus to strengthen their security programs further.
However, the final figure BA has been made to pay was significantly reduced. After several months of delays and negotiations, the ICO reduced the fine down to £20 million for “failing to protect the personal and financial details of more than 400,000 of its customers.”
While the final figure is less climatic than original proposed penalty, it is still the largest fine ever issued by the ICO and highlights the dangers of poor security practices. Under the UK’s previous Data Protection regulation, the largest fine that could be issued was £500,000.
In both the BA notice for the final penalty and in other COVID guidance, the ICO stated that it would acknowledge “economic impact and affordability” when looking at issuing fines. That could explain why the struggling airline was given such a large discount off the original amount. However, the airline could still face large class action compensation claims in the future.
Hotel chain Marriott International has said that it expects a large reduction in its own delayed ICO-issued £99 million penalty to tune of around 50% but has suffered another breach since making that statement.
Marriott International: $23.7 million
GDPR fines are like buses: You wait ages for one and then two show up at the same time. Just days after a record fine for British Airways, the ICO issued a second massive fine over a data breach. Just like with BA, the final fine was massively reduced after a long delay.
Marriott International was initially fined £99 million [~$124 million] after payment information, names, addresses, phone numbers, email addresses and passport numbers of up to 500 million customers were compromised. The source of the breach was Marriott’s Starwood subsidiary; attackers were thought to be on the Starwood network for up to four years and some three after it was bought by Marriott in 2015.
According to the ICO’s statement, Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” Marriott CEO Arne Sorenson said the company was “disappointed” with the fine and plans to contest the penalty.
However, like with the massive fine the ICO levied against BA, the final penalty was far smaller. The hotel chain was actually only made to pay £18.4million [~$23.7 million] after over a year’s delay. While the regulator said Marriott had failed to put appropriate technical or organizational measures in place to protect the personal data being processed on its systems, it also acknowledged the steps the company took to mitigate the effects of the incident on its customers and the economic impact of COVID-19 as reasons behind the reduction. In a statement Marriott said it acknowledged the decision and will not appeal, but while it deeply regrets the incident it makes no admission of liability.
As with BA, while the final levy issued was massively reduced compared to what was initially announced, it was still a large amount that was far higher than could have been issued under the previous Data Protection Act and is the second highest data breach penalty issued by the UK’s regulator.
The hotel chain was also fined 1.5 million Lira (~$265,000) by the Turkish data protection authority — not under the GDPR legislation — for the beach, highlighting how one breach can result in multiple fines globally.
Tesco Bank: $21 million
Tesco Bank, the retail banking arm of the UK supermarket chain, was hit with a £16.4 million ($21.2 million) fine in 2018 by the UK’s Financial Conduct Authority (FCA) after just under $3 million was stolen from 9,000 customer accounts in 2016. The FCA accused Tesco’s of “deficiencies” in the design of its debit card, financial crime controls and in its Financial Crime Operations Team.
Target: $18.5 million
In 2017, retail giant Target agreed to a $18.5 million settlement with 47 states and the District of Columbia relating to a breach in 2013 in which some 40 million credit and debit card accounts were stolen during the post-thanksgiving Black Friday sales rush. Later investigations found names, addresses, phone numbers and email addresses for up to 70 million individuals were also taken. Total costs associated with the breach reach over $200 million.
Anthem: $16 million
US health insurer Anthem suffered a breach in 2015 that impacted 79 million people. The breach included names, birthdates, Social Security numbers and medical IDs. In October 2018 the company was fined $16 million by the US Department of Health and Human Services for Health Insurance Portability and Accountability Act (HIPAA) violations. That fine was in addition to the $115 million the company had to pay out in 2017 to settle a class-action lawsuit relating to the breach.
In 2020 the company agreed to pay group of states a further $39.5 million to settle claims the health insurer failed to safeguard its data but refused to accept blame for the incident. “Anthem does not believe it violated the law in connection with its data security and is not admitting to any such violations in this settlement with the state attorneys general,” the company said in a announcement.
Ticketmaster: $10 million
Most companies on this list have been fined for suffering a data breach. Ticketmaster has the dubious honor of being fined for breaching a rival firm. In January 2021, the US ticketing firm agreed to pay a $10 million criminal fine after it used passwords unlawfully retained by a former employee of a competitor to gain access to systems at the rival company.
The US Department of Justice (DOJ) states that in 2013 an employee of the victim company – known as conspirator 1 – joined Ticketmaster and accessed computer systems of their previous employer using their old log-in credentials. The report also states that Ticketmaster executives solicited confidential proprietary information about the victim company through the conspirator with the aim of stealing major clients.
As well as supplying documents including a booking fee calculator, one of the systems accessed was a web-based data analytics package for ticketing known as an Artist Toolbox that provided clients real-time data about ticket sales sold through the victim company. Unauthorized access to the victim company went on for over 12 months from early 2014 into mid-2015.
The DOJ report states in 2015 the victim company changed how it generated URLs for its ticketing web pages specifically to prevent Ticketmaster employees from finding and accessing them, and then filed a civil complaint alleging antitrust violations. The unnamed UK-based firm merged with another company in 2015 and declared bankruptcy in 2016.
The company has been reported by some publication as presales ticketing firm Songkick, which merged with Crowdsurge in 2015 and in the same year also sued the Ticketmaster for anti-competitive behavior. In 2018 Songkick won a $110 million settlement, though as part of the agreement Ticketmaster’s parent company Live Nation acquired the victim company’s remaining technology assets.
Google: $7.5 million
More normally associated with fines around monopolies and anti-trust, 2020 saw Google agree to pay $7.5 million to resolve a class-action lawsuit over two Google+ incidents. The search giant originally announced it planned to shut down its Google+ social network in October 2018 after revealing a bug in a Google+ API that allowed developers access to data marked as private. Though Google claimed there was no evidence this bug was exploited, it acknowledged that over 400 applications used this API and potentially affected over 500,000 accounts.
Two months later Google announced a second incident involving Google+ and was shutting down four months earlier than originally stated after another API issue gave developers access to private profile information on 52.5 million users. (Again, the company said it didn’t think there had been any exploitation of this bug.)
Two class actions suits were filed in 2018 but later consolidated into one, and January 2020 saw a settlement agreed that would allow all users with Google+ accounts between January 2015 and April 2, 2019, whose non-public information was exposed to receive between $5 and $12 each.
Premera Blue Cross: $6.85 million
Though incidents have remained a regular occurrence, 2020 has largely been quiet in terms of punitive fines. But in September, Washington-based health insurance company Premera Blue Cross was fined $6.85 million for HIPAA violations.
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) fined Premera after it discovered breach affecting over 10.4 million people. PBC filed a breach report in March 2015 after cyber-attackers had gained unauthorized access to its systems. A phising attack from 2014 went undetected for nearly nine months and resulted in the disclosure of more than 10.4 million individuals’ protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information.
OCR’s investigation found “systemic noncompliance” with the HIPAA requirements, including failure to conduct an risk analysis, implement risk management, or put in audit controls in place. These failures resulted in the OCR issuing the second-largest HIPAA fine on record.
Excellus: $5.1 million
New York-based health insurer Excellus agreed to pay a $5.1 for a violation of HIPAA privacy and security rules. Those violation came to light after a data breach exposed the personal information of more than 9 million people between late 2013 and May 2015. The fine was paid to the US Department of Health and Human Services’ Office for Civil Rights (OCR).
The breached data included a wide range of sensitive informatio: names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims and medical treatment information. The fine was levied based on “a failure to conduct enterprise-wide risk analysis and failures to implement risk management, information system activity review, and access controls,” according to the OCR.
The University of Texas MD Anderson Cancer Center: $4.3 million
In June 2018 a judge upheld the decision to fine the University of Texas MD Anderson Cancer Center $4.3 million for HIPAA violations. The cancer center suffered three data breaches between 2012 and 2013, which resulted in the loss of health information ofover 33,500 individuals. In one case an unencrypted laptop was stolen from an employee’s residence. The other two breaches involved the loss of unencrypted USBs.
Fresenius Medical Care North America: $3.5 million
HIPAA failures strike again. In February 2018 Fresenius Medical Care North America (FMCNA) was slapped with a bill for $3.5 million after suffering five separate breaches at different company locations between February and July of 2012. An investigation by the Office for Civil Rights found FMCNA had failed to “conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the health information it was storing across its different entities.”
These failures include not preventing unauthorized access to facilities and equipment, failing to encrypt health data, not governing the removal of electronic media holding health data, and having a lack of security incident procedures.
Cottage Health, Touchstone Medical Imaging, and University of Rochester Medical Center (URMC): $3 million each
2019 saw three large HIPAA violations; $3 million each for Cottage Health & Touchstone Medical Imaging.
Cottage health was fined for two breaches — one in 2013 and another in 2015 — resulting in electronic protected health information (ePHI) affecting over 62,500 individuals being leaked. Both incidents involved servers holding ePHI being accessible over the internet.
Tennessee-based Touchstone Medical Imaging was fined after leaving the protected health information (PHI) of over 300,000 patients available online through an exposed FTP server. Touchstone was notified about this exposure by the FBI in 2014 but claimed no patient PHI was exposed.
The US Department of Health and Human Services (HHS) found that Touchstone “did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR.” In addition, the HHS said that notification to individuals affected by the breach was “untimely,” that Touchstone “failed to conduct an accurate and thorough risk analysis of potential risks,” and the company “failed to have business associate agreements in place with its vendors.”
In November 2019 The University of Rochester Medical Center (URMC) was also fined $3 million for failing to encrypt mobile devices. The center, which includes the School of Medicine and Dentistry and Strong Memorial Hospital, lost an unencrypted flash drive in 2013 and had an unencrypted laptop stolen in 2017. URMC was fined for failing to properly protect personal health information despite previously reporting a breach through an unencrypted drive in 2010.
Jackson Health System: $2.15 million
Another large HIPAA violation, this time for Miami nonprofit academic medical system Jackson Health System (JHS), which runs a number of hospitals and care centers in Florida. JHS was fined $2.15 million by DHS over several incidents between 2013 and 2016.
Although JHS did report the loss of paper records on 756 patients to DHS in 2013, it failed to report the loss of an additional three boxes of patient records after an internal investigation. In 2015 JHS discovered two employees had accessed a patient’s electronic medical record without a job-related purpose. In 2016 JHS reported a breach after finding that an employee had been selling patient data totaling 24,000 patients’ records since 2011.
Ticketmaster: £1.25 million ($1.7 million)
US-based events firm Ticketmaster was fined £1.25 million ($1.7 million) under the GDPR after an insecure chatbot on its payment page exposed 9.4 million of Ticketmaster’s customers across Europe.
The company was notified of a potential incident in April 2018 by online bank Monzo after it noticed fraudulent payments, but Ticketmaster informed the bank that an internal investigation found no evidence of a breach. After more banks reported similar activity and engaged with several incident response firms, the firm eventually reported the breach to regulators in June 2018.
The UK’s regulator found that Ticketmaster failed to properly assess the risks of using a chatbot on its payment page, identify and implement appropriate security measures to negate the risks around the chatbot, or identify the source of suggested fraudulent activity in a timely manner.
The ICO notes that although the breach began in February 2018 – prior to GDPR coming into effect on May 25 – the offending chatbot was only completely removed from Ticketmaster UK Limited’s website in June, and the penalty is issued for the time between.
1&1 Telecom: $1 million (reduced from $10.6 million)
Not just the UK is handing out large GDPR fines only to reduce them later. German web hosting company 1&1 was fined €9.55 million ($10.6 million) by Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) for not taking “sufficient technical and organizational measures” to prevent unauthorized persons using its customer service department to gain access to customer data. Its poor authentication processes meant that callers could obtain information on other customers by simply providing the name and birthdate of the person they wanted information on.
However, as with the UK ICO’s fines against BA and Marriott, the final figure was reduced considerably. Though this time it was not the regulator that lowered the penalty. In November 2020, the Regional Court (Landgericht) of Bonn slashed the fine to just €900,000 ($1 million) on the basis that it was disproportionate.
1&1 challenged the original decision in the Court, arguing the revenues-based figure was excessive. Although the Court did rule that 1&1’s security measures where not sufficient, it considered the fine to be disproportionate for what it viewed to be a minor violation was minor.
Equifax, Facebook, DSG Retail Limited, and Cathay Pacific: $650,000 each
Four companies in the UK can count themselves lucky. In 2018 the UK Information Commissioner’s Office fined Equifax and Facebook or data failures under the pre-GDPR Data Protection Act, in which the highest possible fine is just £500,000 (~$650,000). Under GDPR, the penalties could have been much higher. Facebook was slapped with the bill in October over the Cambridge Analytica data scandal, while Equifax was handed the maximum penalty in September for its 2017 breach.
In early 2020 – almost two years after the introduction of GDPR – the regulator fined two more companies under the old DPA. UK retailer DSG Retail Limited (DSG) received the fine after point-of-sale malware was discovered on over 5,000 machines at its Currys PC World and Dixons Travel stores. However, as the attack started in July 2017 — before the implementation of GDPR – the company was fined the old maximum of £500,000 despite the fact the attackers were reportedly still collecting information until April 2018, after the implementation of the new regulations.
The attack enabled unauthorized access to 5.6 million payment card details and personal information of approximately 14 million people, including full names, postcodes, email addresses, and failed credit checks from internal servers. The ICO claimed the company had” poor security arrangements” and failed to take adequate steps to protect personal data, including inadequate patching, absence of a local firewall, lack of network segregation, and no routine security testing. The ICO had previously fined DSG’s Carphone Warehouse £400,000 [~$520,000] for similar failings in January 2018.
Chinese airline Cathay Pacific was fined the DPA maximum in March 2020 for “failing to protect the security of its customers’ personal data.” The ICO ruled that between October 2014 and May 2018 Cathay Pacific’s systems “lacked appropriate security measures,” leading to customers’ personal details being exposed.
Editor’s note: This article, originally published in July 2019, is frequently updated as new information on incident penalties becomes available.
Copyright © 2021 IDG Communications, Inc.