Sizable fines assessed for data breaches in 2019 suggest that regulators are getting more serious about organizations that don’t properly protect consumer data. Marriott was hit with a $124 million fine for Marriott, while Equifax agreed to pay a minimum of $575 million for its 2017 breach.
This comes after an active 2018. Uber’s poor handling of its 2016 breach cost it close to $150 million. Weakly protected and heavily regulated health data cost medical facilities big that year, too, resulting in the US Department of Health and Human Services collecting increasingly large fines.
Equifax: (At least) $575 Million
2017 saw Equifax lose the personal and financial information of nearly 150 million people due to an unpatched Apache Struts framework in one of its databases. The company had failed to fix a critical vulnerability months after a patch had been issued and then failed to inform the public of the breach for weeks after it been discovered.
In July 2019 the credit agency agreed to pay $575 million — potentially rising to $700 million — in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories over the company’s “failure to take reasonable steps to secure its network.”
$300 million of that will go to a fund providing affected consumers with credit monitoring services (another $125 million will be added if the initial payment is not enough to compensate consumers), $175 million will go to 48 states, the District of Columbia and Puerto Rico, and $100 million will go to the CFPB. The settlement also requires the company to obtain third-party assessments of its information security program every two years.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.”
Equifax had already been fined £500,000 [~$625,000] in the UK for the 2017 breach, which was the maximum fine allowed under the pre-GDPR Data Protection Act 1998.
Uber: $148 million
In 2016 ride-hailing app Uber had 600,000 driver and 57 million user accounts breached. Instead of reporting the incident, the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million in 2018 — the biggest data-breach fine in history at the time — for violation of state data breach notification laws.
Marriott International: $124 million
GDPR fines are like buses: You wait ages for one and then two show up at the same time. Just days after a record fine for British Airways, the ICO issued a second massive fine over a data breach.
Marriott International was fined £99 million [~$124 million] after payment information, names, addresses, phone numbers, email addresses and passport numbers of up to 500 million customers were compromised. The source of the breach was Marriott’s Starwood subsidiary; attackers were thought to be on the Starwood network for up to four years and some three after it was bought by Marriott in 2015.
According to the ICO’s statement, Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” Marriott CEO Arne Sorenson said the company was “disappointed” with the fine and plans to contest the penalty.
The hotel chain was also fined 1.5 million Lira (~$265,000) by the Turkish data protection authority — not under the GDPR legislation — for the beach, highlighting how one breach can result in multiple fines globally.
Yahoo: $85 million
In 2013 Yahoo suffered a massive security breach that affected its entire database, about 3 billion accounts — almost the entire population of the web. The company, however, didn’t disclose this information for three years.
In April 2018, the U.S. Securities and Exchange Commission (SEC) fined the company $35 million for failing to disclose the breach. In September, Yahoo’s new owner Altaba admitted that it had settled a class action lawsuit resulting from the breach to the tune of $50 million.
A total bill of $85 million for 3 billion accounts works out to around $36 per record.
Capital One: $80 million
In 2019 Captial One bank suffered a breach affecting 100 million people in the US and 6 million in Canada. The company said an “outside individual” – later identified as former Amazon Web Services software engineer Paige Thompson – had obtained personal information of Capital One credit card customers and people who had applied for credit card products via a configuration vulnerability in the company’s web application firewall.
Information taken included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, self-reported income as well as credit scores, credit limits, balances, payment history, contact information, fragments of transaction data, some Social Security numbers and some bank account numbers.
The Office of the Comptroller of the Currency fined Capital One $80 million for “failure to establish effective risk assessment processes” when migrating operations to public cloud environment as well as a “failure to correct the deficiencies in a timely manner.”
Morgan Stanley: $60 million
While it didn’t suffer a breach, failure to conduct robust hardware decommissioning processes cost Morgan Stanley after it failed to adhere to expectations from the regulator. In October 2020 the US Office of the Comptroller of the Currency (OCC) fined the bank $60 million for failing to properly decommission hardware containing wealth management data from two of its US data centers in 2016.
According to the OCC, the bank “failed to exercise proper oversight” of the decommissioning of the centers. Issues listed include failure to effectively assess or address the risks associated with the decommissioning of its hardware, lack of risk assessment and due diligence around using third-party vendors or monitor vendor performance, and failure to maintain an appropriate inventory of customer data stored on the devices.
The OCC said the bank suffered similar vendor management control deficiencies in 2019 around the decommissioning of wide-area application services devices, but acknowledged Morgan Stanley has since undertaken corrective actions and is “committed” to taking necessary and appropriate steps to remedy the deficiencies.
While Morgan Stanley has made a statement saying it does not believe that client information has been accessed or misused as a result of its previous practices, the company is also facing a $5 million data breach suit around these failures.
British Airways: $26.2 million
Despite all threats and scare-mongering about the potential size of fines, the first 12 months of the EU’s General Data Protection Regulation (GDPR) had relatively little in the way of punitive action. Fines issued by data protection firms across mainland Europe that related to data breaches had been in the tens or low hundreds of thousands of euros and were in line with the kinds of finds companies were receiving under prior regulations. That quickly changed after British Airways (BA) was fined a record £183 million [~$230 million] after the airline was fined by the UK’s data protection authority, the ICO, after the Magecart group used card-skimming scripts to harvest the personal and payment data of up to 500,00 customers over a two-week period.
The ICO said its investigation found “poor security arrangements at the company” led to the breach. The BA fine shows that the regulation does have real teeth and the data protection authorities aren’t afraid to exercises their powers. Given that the GDPR has been one of the main drivers for pushing security higher up the agenda with boards, this will give CSOs and privacy/compliance offers renewed impetus to strengthen their security programs further.
However, the final figure BA has been made to pay was significantly reduced. After several months of delays and negotiations, the ICO reduced the fine down to £20 million for “failing to protect the personal and financial details of more than 400,000 of its customers.”
While the final figure is less climatic than original proposed penalty, it is still the largest fine ever issued by the ICO and highlights the dangers of poor security practices. Under the UK’s previous Data Protection regulation, the largest fine that could be issued was £500,000.
In both the BA notice for the final penalty and in other COVID guidance, the ICO stated that it would acknowledge “economic impact and affordability” when looking at issuing fines. That could explain why the struggling airline was given such a large discount off the original amount. However, the airline could still face large class action compensation claims in the future.
Hotel chain Marriott International has said that it expects a large reduction in its own delayed ICO-issued £99 million penalty to tune of around 50% but has suffered another breach since making that statement.
Tesco Bank: $21 million
Tesco Bank, the retail banking arm of the UK supermarket chain, was hit with a £16.4 million ($21.2 million) fine in 2018 by the UK’s Financial Conduct Authority (FCA) after just under $3 million was stolen from 9,000 customer accounts in 2016. The FCA accused Tesco’s of “deficiencies” in the design of its debit card, financial crime controls and in its Financial Crime Operations Team.
Target: $18.5 million
In 2017, retail giant Target agreed to a $18.5 million settlement with 47 states and the District of Columbia relating to a breach in 2013 in which some 40 million credit and debit card accounts were stolen during the post-thanksgiving Black Friday sales rush. Later investigations found names, addresses, phone numbers and email addresses for up to 70 million individuals were also taken. Total costs associated with the breach reach over $200 million.
Anthem: $16 million
US health insurer Anthem suffered a breach in 2015 that impacted 79 million people. The breach included names, birthdates, Social Security numbers and medical IDs. In October 2018 the company was fined $16 million by the US Department of Health and Human Services for Health Insurance Portability and Accountability Act (HIPAA) violations. That fine was in addition to the $115 million the company had to pay out in 2017 to settle a class-action lawsuit relating to the breach.
In 2020 the company agreed to pay group of states a further $39.5 million to settle claims the health insurer failed to safeguard its data but refused to accept blame for the incident. “Anthem does not believe it violated the law in connection with its data security and is not admitting to any such violations in this settlement with the state attorneys general,” the company said in a announcement.
1&1 Telecom: $10.6 million
It’s not just the UK’s ICO which is handing out large GDPR fines. German web hosting company 1&1 was fined €9.55 million ($10.6 million) by Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) for not taking “sufficient technical and organizational measures” to prevent unauthorized persons using its customer service department to gain access to customer data. Its poor authentication processes meant that callers could obtain information on other customers by simply providing the name and birthdate of the person they wanted information on.
Other large GDPR fines for non-breach related reasons include an €18 million fine against the Austrian postal service for processing the political affiliation of data subjects and €14.5 million against German property company Deutsche Wohnen for retaining customer data after it was no longer needed.
Google: $7.5 million
More normally associated with fines around monopolies and anti-trust, 2020 saw Google agree to pay $7.5 million to resolve a class-action lawsuit over two Google+ incidents. The search giant originally announced it planned to shut down its Google+ social network in October 2018 after revealing a bug in a Google+ API that allowed developers access to data marked as private. Though Google claimed there was no evidence this bug was exploited, it acknowledged that over 400 applications used this API and potentially affected over 500,000 accounts.
Two months later Google announced a second incident involving Google+ and was shutting down four months earlier than originally stated after another API issue gave developers access to private profile information on 52.5 million users. (Again, the company said it didn’t think there had been any exploitation of this bug.)
Two class actions suits were filed in 2018 but later consolidated into one, and January 2020 saw a settlement agreed that would allow all users with Google+ accounts between January 2015 and April 2, 2019, whose non-public information was exposed to receive between $5 and $12 each.
Premera Blue Cross: $6.85 million
Though incidents have remained a regular occurrence, 2020 has largely been quiet in terms of punitive fines. But in September, Washington-based health insurance company Premera Blue Cross was fined $6.85 million for HIPAA violations.
Original article source was posted here