Largest fines imposed on organizations for data privacy violations

Data Privacy Insights > Posts > Industry > Information Technology > Largest fines imposed on organizations for data privacy violations
Aishwarya Sethi

Law Student, Army Institute of Law, Mohali

The swelling mode of data privacy violations continues to climb uphill, and as a result, there has never been a more unsafe time in history to share personal data with businesses and corporations, as necessary as that may be. Substantial fines evaluated for data breaches in the recent times point towards the increasing concern of regulators across the world with respect to organizations breaching privacy norms and failing to understand the tremendous responsibility that comes with collecting consumer data.

Data breaches, big or small, impact consumers directly and thus, need to be taken seriously. We, as consumers, are surrounded by various companies that don’t properly protect consumer data. Even though some have come under the radar of regulatory authorities around the world, the journey has just begun. This article brings to light the 5 largest fines imposed by regulators for data privacy violations by various organizations.

Facebook (2018)

What and Why?
The Facebook–Cambridge Analytica data scandal emerged from an app called “This Is Your Digital Life”, which obtained the personal data of millions of Facebook users without their consent predominantly for political advertising. The app collected the personal data of the users’ Facebook friends via Facebook’s Open Graph platform.

Demographic Impact
The app compromised the data of up to 87 million Facebook profiles.

Fine Imposed
The Federal Trade Commission imposed the largest ever fine it has ever imposed on Facebook amounting to $5 Billion along with the $663,000 imposed under UK’s GDPR Law. Further, in July 2019, Facebook agreed to pay $100 million to settle with the U.S. Securities and Exchange Commission for “misleading investors about the risks it faced from misuse of user data”.

What did the authorities say?
The FTC Chairman at the time, Joe Simons, said that, “Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices.” He also fittingly stated that that the measures will provide significant deterrence not just to Facebook, but to every other company that collects or uses consumer data.

Equifax Inc. (2017)

What and Why?
The hacking of a consumer complaint web portal led to the attackers being able to access other servers because the system security of the credit monitoring and identity protection company was lax, enabling them to find usernames and passwords stored in plain text that then allowed them to access further systems. It was later reported that Equifax had failed to renew an encryption certificate on one of their internal security tools.

Demographic Impact
The sensitive personal data of 148 million Americans had been compromised including names, phone numbers, addresses, etc.

Fine Imposed
Equifax agreed to pay $575 Million in a settlement with the Federal Trade Commission, Consumer Financial Protection Bureau and the fifty states of the United States of America, besides the $625,000 fine imposed by the United Kingdom.

What did the authorities say?
Chairman Joe Simons stated that, “Companies that profit from personal information have an extra responsibility to protect and secure that data…Equifax failed to take reasonable steps to secure its network.”

Uber (2016)

What and Why?
Uber Inc., primarily known for its cab service, was already being investigated for their 2014 data breach, which leaked the sensitive personal data of the drivers associated with the company, when another major breach of data came to light in 2016, compromising the names, email addresses, mobile phone numbers and driver’s license numbers of U.S. Uber drivers and riders. Intruders were able to access consumer data through an access key to the cloud provider’s server (where all the data was stored) which an Uber engineer had posted on a code-sharing website.

Demographic Impact
The sensitive personal data of 57 Million Uber users was exposed.

Fine Imposed
The company was fined $148 Million for violation of state data breach notification laws.

What did the authorities say?
The Acting FTC Chairman at the time, Maureen K. Ohlhausen highlighted that along with misleading consumers about its privacy practices, Uber compounded its misconduct by not informing the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach. The aim of the settlement was to prevent Uber from engaging in such misconduct again.

British Airways (2018)

What and Why?
Hackers stealing personal and card details of users as they enter them for the purpose of payment is a common data pilfering technique to which British Airways fell prey. The credit card details of over 400,000 customers were compromised within two weeks, inviting scrutiny from the Information Commissioner’s Office in the United Kingdom, leading to the largest fine ever imposed, later reduced considering the impact of COVID-19 and economic affordability.

Demographic Impact
The personal and payment data of over 400,000 users was exposed.

Fine Imposed
The company was fined $230 Million initially, later reduced to $26 Million owing to pleas based on the organization’s economic downfall post COVID-19.

What did the authorities say?
The ICO found poor security systems in place. The Information Commissioner, Elizabeth Denham, stated that, “When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Marriot International (2016-2018)

What and Why?
The first part of the cyber-attack happened in 2014, affecting the Starwood Hotels group, which was acquired by Marriott two years later. But until 2018, when the problem was first noticed, the attacker continued to have access to all affected systems and customer information including personal, payment and passport information.

Demographic Impact
The personal and payment data of about 339 Million users was exposed.

Fine Imposed
The company was fined $124 Million initially, which was reduced to $23.7 Million after a one year delay, owing to pleas based on steps taken to mitigate the effect and the economic impact of COVID-19.

What did the authorities say?
The ICO stated that Marriott had failed to protect personal data as required by the General Data Protection Regulation (GDPR) by not conducting proper due diligence before acquiring the Starwood Hotels Group, affecting the data of millions of people. However, the ICO recognized the improvement in the security systems which were later introduced.

*The number of users affected remains equal to the estimates made public by different organizations and may vary slightly from source to source.

Ayottaz can help you understand more about how to become Data Privacy-aware and become future-ready

No comments to show.

Leave a Reply

Your email address will not be published. Required fields are marked *