General Security

Cost of non-compliance: 8 largest data breach fines and penalties

October 20, 2020 by Greg Belding

Introduction

Different regulations and laws will slap organizations with fines and penalties for data breaches. This is because the organization did not take the privacy of their data seriously. However, the authorities take this responsibility very seriously and will not hesitate to punish with fines and penalties that are sometimes in the hundreds of millions of dollars, if not more. 

This article will detail the eight largest data breach fines and penalties and will present the most up-to-date list of the largest breach fines and penalties, from smallest to largest.

Cost of non-compliance in healthcare

The cost of non-compliance for a data breach varies from industry to industry. Before we start our countdown, it should be noted that data breaches in healthcare are the costliest per breach. This is due to the strict regulations in the Health Insurance Portability and Accountability act, or HIPAA. This particular regulation mandates high fines for breach to the tune of $429 per record. 

The top 8 breaches

8. The University of Texas MD Anderson Cancer Center

The University of Texas MD Anderson Cancer Center suffered a breach that stemmed from three separate data breaches from 2012 to 2013. These breaches caused the loss of personal health information, or PHI, of over 33,500 patients at the cancer center. All three incidents involved the loss of information due to a lack of encryption, which HIPAA mandates. For these HIPAA violations, the cancer center was hit with a $4.3 million fine. 

7. Google

This represents one of the largest GDPR EU regulatory fines to date and it ended up costing Google the equivalent of $43 million when all was said and done. In January of 2019, France’s National Commission on Informatics and Liberty (CNIL) slapped the company with this hefty fine for violating four articles of the GDPR. 

The charges boiled down to a lack of transparency regarding how user data was harvested and used for ad targeting. Failing to provide users with adequate information about consent policies and not giving users control of how their data was processed cost Google big. 

6. Capital One

Another example coming in from 2019. In this case, Capital One experienced a data breach that affected a total of 106 million individuals in North America, costing the bank a fine of $80 million. 

The cause of this breach was Paige Thompson, a former software engineer for Amazon Web Services, who swiped personal information belonging to the bank’s credit card customers and individuals that applied for a credit card. This was possible due to a web app firewall configuration vulnerability. 

According to the Office of the Currency, failing to establish risk assessment processes that are effective during public cloud environment migration and failing to correct said deficiencies in a timely fashion is the official rationale for this hefty fine.

5. Yahoo

This breach occurred in 2013 and affected the web giant Yahoo. A large security breach impacted their entire database, which contains approximately three billion accounts (almost as much as the entire population using the internet!). What really hurt Yahoo was this: they did not report this breach for almost three years. 

As a result of the breach, the United States Securities and Exchange Commission punished Yahoo with a $35 million fine in 2018. One year later, Altaba, the new owners of Yahoo, announced that it had reached a class action lawsuit settlement involving the breach for $50 million. At the end of the day, this breach cost Yahoo $85 million.

4. Marriott International

This hotel chain goliath suffered a data breach where sensitive payment information such as names, addresses, phone numbers, emails and even passport numbers was compromised. The breach affected around 500 million customers and resulted in a fine of approximately $124 million. 

This breach was caused by attackers that were on a Marriott subsidiary network, Starwood, for three years after the subsidiary was purchased by Marriott. Regulators in the UK found that Marriott failed to take due diligence in making sure their systems were secure.

In an interesting side note, this case demonstrates how one breach can cause multiple fines. After being smacked by a GDPR fine, the Turkish government fined Marriott $265,000 for violations of the Turkish data protection authority. 

3. Uber

Uber, a leader in the popular ride-hailing app business, takes the #3 spot on this list with a major data breach that occurred in 2016. In this incident, a cybercriminal breached the data of 57 million user accounts and 600,000 drivers. 

In an effort to skirt the bad PR a breach like this brings, Uber paid the criminal $100,000 to keep the breach secret. Instead of quietly going away, the rideshare company was hit with a $148 million fine in 2018 for violation of data breach notification laws. This was the largest fine for a data breach ever received at the time.

2. British Airways

Not only does BA take the runner-up spot (of sorts), but they also have the distinction of being the first recipient of a mega-sized fine for non-compliance with GDPR. Before this breach, GDPR fines never exceeded the hundreds of thousands of dollars. 

This changed in 2019 when BA was hit by a card-skimming data harvest attack by the Magecart group. This group used scripts to harvest both payment and personal data of as many as 500,000 customers, all in a matter of two weeks. Instead of a slap on the wrist in the thousands of dollars, the ICO fined BA $230 million.

1. Equifax

Holding the #1 spot since the breach in 2017 is the infamous Equifax data breach. In this case, Equifax failed to maintain the Apache Struts framework of one of its production databases. This framework contained a critical vulnerability that remained unpatched for months after the fix was available. The result was a loss of financial and personal information of around 150 million individuals — and yet for weeks, Equifax kept this breach under wraps. 

As a result of multiple agreements to pay fines in the hundreds of millions of dollars, the total cost of this data breach reached its peak to date of $1.4 billion dollars (not including legal fees) as a result of a settlement. This was first revealed by Equifax’s earnings release in May of 2019. 

Conclusion

Based on the numbers, the total cost of a breach is going down slightly, with 2019 and 2020’s total cost of breach being $3.9 million and $3.86 million respectively. The cost of non-compliance in healthcare is higher than this, with an average cost that is nearly double this amount per breach. With this said, based upon the fact that Equifax’s cost of breach has almost reached $2 billion and the average time to identify and contain data breaches increased from 2019 to 2020, large data breaches and large fines, penalties and settlements are not going to be stopping anytime soon.

 

Sources

The biggest data breach fines, penalties and settlements so far, CSO Online

Equifax’s Data Breach Costs Hit $1.4 Billion, BankInfoSecurity

Cost of a Data Breach Report 2020, IBM Security

Healthcare data breaches cost an average of $6.5M: report, Fierce Healthcare

Posted: October 20, 2020
Articles Author
Greg Belding
View Profile

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.