Is Your Company Characterized by Weak Security? Here’s a List of the Largest Breach Fines, Penalties and Settlements in Recent Years

Weak security is a multifaceted problem for many companies: not only does it mean poor cybersecurity for sensitive data, it also means the potential for large nominal fees. The companies mentioned in this blog have paid almost $1.63 billion (and counting), for hacks and data thefts. All of these hacks and data thefts were possible because of weak security, intentional cover-ups or avoidable mistakes due to lack of infrastructure or funding towards cybersecurity.

Let’s get your attention. Here are the companies that were fined to make up the nearly $1.63 billion we mentioned earlier. We bet you’ll recognize more than just a few of these brand names. This proves: yes, the problem is everywhere. 


Amount Fined: $575 million

Breach: Equifax lost the personal and financial information of nearly 150 million people due to an unpatched Apache Struts framework in one of its databases. After failing to fix a critical vulnerability months after a patch had been issued, they then failed to inform the public of the breach for weeks after discovery. 

British Airways 

Amount Fined: $230 million

Breach: British Airways was fined by the UK’s data protection authority, the ICO, after the group used card skimming scripts to harvest the personal and payment data of up to 500,00 customers over a two-week period. 


Amount Fined: $148 million

Breach: After 600,000 driver and 57 million user accounts were breached in 2016, the company paid the hackers $100,000 in an attempt to keep the hack a secret–in the end, this ended up being their demise and reason for such a high fine.

Marriott International

Amount Fined: $124 million

Breach: Over 500 million customers had information- including names, addresses, phone numbers, email addresses and passport numbers- compromised. After discovering the source of the breach, it was realized that attackers had likely been in the Marriott network for up to 4 years prior to discovery.


Amount Fined: $85 million

Breach: After a breach affected all 3 billion accounts in the Yahoo database, the company chose not to disclose the breach for 3 years. Big mistake–and they paid for it.

Capital One

Amount Fined: $80 million

Breach: 100 million people in the U.S. and 6 million in Canada were victims of a breach- which included personal information such as names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, self-reported income as well as credit scores, credit limits, balances, payment history, contact information, fragments of transaction data, some Social Security numbers and some bank account numbers.

Tesco Bank

Amount Fined: $21 million

Breach: In 2016, $3 million was stolen from 9,000 customers due in part to deficiencies in the design of its debit card


Amount Fined: $18.5 million

Breach: in 2017, 40 million credit and debit card accounts were stolen during the Black Friday sale after Thanksgiving.


Amount Fined: $16 million

Breach: In 2015, 79 million people in the Anthem network were affected in a breach of names, birth dates, Social Security numbers and medical IDs. Anthem was fined in large part due to HIPAA violation.

1&1 Telecom

Amount Fined: $10.6 million

Breach: 1&1 Telecom was essentially fined for poor authentication processes which allowed access to customers information with only name and birth date.


Amount Fined: $7.5 million

Breach: Through the Google+ network, 400 applications used this API and potentially affected over 500,000 accounts. Two class-action lawsuits were filed, and a fine of $7.5 million paid.

The University of Texas MD Anderson Cancer Center

Amount Fined: $4.3 million

Breach: After two data breaches resulting in loss of health information for over 33,500 individuals, the university was fined essentially for massive HIPAA violations.

Fresenius Medical Care North America

Amount Fined: $3.5 million

Breach: After five separate breaches, Fresenius was essentially fined for not accurately assessing the potential risk and vulnerabilities of their network. The breaches saw health information compromised due to the company not properly improving their security after the first breach.

Cottage Health, Touchstone Medical Imaging, and University of Rochester Medical Center (URMC)

Amount Fined: $3 million each

Breach: All fined for HIPAA related offenses, health information of patients was exposed in all 3 breaches. 

Data Source linked here

These fines are no small amount. So, what does this mean? First, regulators are getting serious. If organizations are not properly protecting their consumer data, they are no longer free and clear. Regulation of organization’s consumer data has been on the rise in recent years. A high profile breach in 2016 cost Uber almost $150 million to kick off what has been now multiple years of serious regulation of large organizations with weak security. 

Other than the companies mentioned above, there’s been a rise in breach fines among healthcare organizations, as this industry is known for weak security in an industry typically characterized by high regulation. 

If you have questions about protecting your company’s data (sensitive or otherwise), please reach out to PK Tech