Home Features 6 Times Data Regulators Churned Out High Penalties in 2019

6 Times Data Regulators Churned Out High Penalties in 2019

By Rudra Srinivas

Data breaches and security incidents are becoming increasingly expensive. The risk of data breaches got higher after introducing the European Union’s General Data Protection Regulation (GDPR) on May 25, 2018.

The year 2019 has already seen organizations slammed with sizable fines and settlements for security incidents or misusing customers’ information. Ever since GDPR was launched, data regulators are getting more serious about companies that are not serious about consumer data protection.

According to a report from IBM, the average cost of a data breach has increased to US$ 3.92 million, which is a 1.6 percent increase in costs in 2018 and a 12 percent rise over the last five years.

Cyber-attacks, data thefts, weak security, mistakes, and cover-ups have cost these companies a huge fortune.

1. British Airways

The UK’s data protection watchdog ICO (Information Commissioner Office) fined British Airways on July 08, 2019, with £183.39 million (around US$ 230 million) after the airline failed to protect its customers’ data. The fine was related to a data breach that occurred in September 2018, exposing around 500,000 customers’ personal information.

The ICO said its investigation found the breach compromised customer details, including login, payment card, name, address, and travel booking information which is collected after being diverted to a fraudulent website. The data breach, which began in June 2018, occurred due to the poor security measures to protect customer information, ICO stated.

2. Yahoo

In one of the biggest class-action lawsuit settlements in the United States’ history, Yahoo Inc. has agreed to pay US$ 117.5 million over a series of data breaches that affected its users between 2012 and 2016. The affected users will likely get US$ 100 in compensation or two years of credit monitoring services for free.

Yahoo urged the Settlement Class Members to claim for the reimbursement. In case users already hold credit monitoring services, they can opt for cash payment, which is less than US$ 100 or more (up to US$ 358) per user, depending on how many users are claiming for the settlement, Yahoo said in a statement.

According to Yahoo, anyone who had a Yahoo account between January 1, 2012, and December 31, 2016, and is a resident of the United States or Israel is eligible for the settlement.

3. Uber

In 2016, taxi aggregator Uber had 600,000 drivers and 57 million user accounts breached. Instead of reporting the issue, the company paid the perpetrators, Glover and Mereacre, US$ 100,000 in ransom to keep the hack a secret. These actions cost the company deeply. Uber was fined US$ 148 million in 2018 for violation of state data breach notification laws.

In October 2019, the two hackers pleaded guilty for their extortion scheme to steal sensitive information of 57 million Uber passengers and drivers. According to the statement from the Federal Court, California, the hackers admitted stealing personal information from the ride-hailing service provider that was stored on Amazon Web Services from October 2016 to January 2017 and then demanded a ransom.

4. Marriott International

In July 2019, popular hospitality group Marriott International was charged with £99,200,396 (around US$ 123,705,870) fine by ICO for the data breach reported in 2018. The ICO stated that Marriott failed to protect its customers’ information, thus violating the GDPR regulations.

Marriott faced a massive data breach affecting up to 500 million guests last year. Hackers extracted people’s personal data as well as a loyalty program, payment, and reservation information. That’s not all, encrypted credit card data of 100 million customers was also stolen.

5. Facebook

Facebook is set to pay the largest fine imposed on a technology company by the Federal Trade Commission (FTC). On July 24, 2019, the social media giant was slapped with a massive US$ 5 billion fine for allegedly violating privacy practices and mishandling user data during the infamous Cambridge Analytica scandal and other privacy breaches. The FTC ordered Facebook to adopt new policies for protecting users’ data and expand these policies across Instagram and WhatsApp.

Facebook has also agreed to pay £500,000 (around US$ 645,000) penalty imposed by ICO for failing to safeguard the users’ data gathered by political data firm Cambridge Analytica.

According to the settlement deal, Facebook has agreed to drop its legal appeal against the penalty. The ICO stated that Facebook can retain some documents that the ICO disclosed during the appeal process to use for its own investigation into issues around Cambridge Analytica.

6. Equifax

In July this year, the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau fined Equifax around US$ 700 million following a massive data breach in 2017 that leaked a massive amount of information of more than 143 million people in the U.S. alone.

According to the official reports, the proposed penalty could be between US$ 650 and US$ 700 million. It’s said that the final amount could vary depending on how many people file claims and their expected compensation.

On September 7, 2017, the Atlanta-based consumer credit reporting agency disclosed that its databases had been breached between May and June 2017, and hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers, credit card numbers, and driver’s license numbers.  Equifax discovered the breach on July 29, 2017. It waited until after the close of trading nearly six weeks later to disclose the breach to consumers and Equifax’s investors, after hackers exfiltrated data for 76 days.

Rudra Srinivas is part of the editorial team at CISO MAG and writes on cybersecurity trends and news features.