The 25 Significant Data Breach Fines & Violations (2012-2023)

Regulators continue to intensify scrutiny of companies that fail to maintain adequate data protection standards. Below are 25 of the biggest data privacy fines to date and some brief insights into the nature of the claims. 

Note that this list doesn’t cover fines levied by the General Data Protection Regulation (GDPR). That list includes a substantial number of global data privacy violations, too. You can view our full list of the biggest GDPR fines and penalties here.

We include in this list combined sums from regulatory fines as well as payments made to settle litigation, lawsuits, and other investigations related to the violations in question. For many companies, these class-action lawsuits produced more substantial penalties than the regulatory fines themselves.

Let's take a closer look at the biggest data breach and data privacy fines of the last decade:

1. Facebook: $5 billion

Year issued: 2019

It’s no surprise that Facebook tops our list with a $5 billion fine levied by the U.S. Federal Trade Commission (FTC) in 2019 for the Cambridge Analytica scandal and other privacy violations. The fine was the largest ever set by the FTC and came on the back of widespread public outcry over Facebook’s mishandling of user information.

The sheer size of Facebook’s breach and the highly-publicized political implications made this the highest-profile data privacy scandal in recent memory. While the purported $5 billion fine sounded like an appropriate penalty for the social media giant, the company ended up settling in court for a mere $725 million.

2. Didi Global: $1.2 billion

Year issued: 2022

Known advocates for user privacy, the Chinese government fined ride-hailing company Didi Global a total of 8 billion Yuan ($1.2 billion) for a series of violations related to data security and personal information protection. According to regulators, Didi had collected millions of pieces of illegally-obtained user information over seven years and used that in a fashion that had the potential to harm national security.

3. Amazon: $886 million

Year issued: 2021

The only GDPR penalty on this list, Amazon’s transgression is noteworthy here because it represents a regulatory crackdown on data privacy violators. The Luxembourg National Commission for Data Protection slapped Amazon with a record €746 million ($886 million) for violating GDPR. Months later, Amazon appealed this decision and asserted that no data breach had occurred and no customer data had been exposed to third parties. The appeal is set to go to a Luxembourg court in January 2024.

4. Equifax: $700 million

Year issued: 2019

On the back of one of the largest user data breaches in history, Equifax was fined $700 million by the FTC in 2019 for its infamous 2017 data breach. The fine was imposed on Equifax for failing to take adequate measures to protect the personal information of approximately 147 million people. Reports suggest that hackers operated on Equifax’s network for months before detection. In the end, Equifax settled to pay between $575 and $700 million of the levied penalty.

5. Epic Games: $520 million

Year issued: 2022

In a record-breaking settlement that involved the Children’s Online Privacy Protection Act (COPPA), Epic Games, the creator of Fortnite, was fined a whopping $520 million by the FTC. The action involved two record-breaking settlements: $275 million in fines for violating COPPA, and $245 million in additional fees as reimbursement for affected consumers. "As our complaints note, Epic used privacy-invasive default settings and deceptive interfaces that tricked Fortnite users, including teenagers and children," noted FTC Chair Lina M. Khan.

6. T-Mobile: $500 million

Year issued: 2022

T-Mobile suffered a cyberattack in 2021 that exposed the personal data of over 76 million people and led to a lawsuit and eventual settlement of $500 million—$350 million in customer restitution and $150 million paid toward upgrades to T-Mobile’s cybersecurity systems.

Then T-Mobile experienced another cyberattack on January 19, 2023, just days before the opt-in period for its previous legal settlement was to close. A spokesperson for T-Mobile stated that the new attack was "an altogether separate and different security incident" from its previous breach, and incident details continue to unfold.

7. Home Depot: $200+ million

Year issued: Ongoing

Between April 10th and September 13th, 2014, hackers infiltrated Home Depot’s self-checkout point-of-sale system and infected devices with personal information-skimming malware. 

The Connecticut Attorney General deemed that Home Depot had failed to take necessary precautions to prevent the theft of customer information. This left the retailer embroiled in a series of investigations and settlements to provide restitution to those affected. While the exact sum of these expenses is unknown, it’s estimated that Home Depot’s cyberattack cost the company more than $200 million.

8. Capital One: $190 million

Year issued: 2021

While not a regulatory fine proper, Capital One’s infamous 2019 data breach is notable both for its scope (over 100 million people affected) as well as its tiresome, repetitive nature. Capital One received an $80 million fine from the U.S. Office of the Comptroller of the Currency (OCC) in 2020 for a similar vulnerability. The cyberattack resulted in a class-action lawsuit settlement of $190 million, though Capital One denied all liability.

9. Google: $170 million

Year issued: 2019

Google was slapped with a $170 million FTC fine in 2019 for violating COPPA. Regulators claimed that Google had illegally collected personal information from children under 13 who accessed YouTube. This penalty was far exceeded by Epic Games in 2022, though at the time, Google’s penalty represented one of the largest COPPA-related fines to date.

10. Twitter: $150 million

Year issued: 2022

Twitter caught fire in 2022 when it allowed advertisers to access personal information that was purportedly collected for purposes of account security. This violated a 2011 FTC order that prohibited the company from misrepresenting its security and privacy practices. In response, the FTC fined Twitter $150 million and banned the company from profiting from its deceptive use of user data.

11. Uber: $148 million

Year issued: 2018

In an expensive bit of procrastination, rideshare service Uber agreed to pay $148 million in restitution because it failed to report a data breach that had occurred in 2016. The 2016 breach involved a cyberattack that compromised the personal information of approximately 600,000 Uber drivers, but the company didn’t inform those affected until nearly a year later. The settlement was reached with the Texas Attorney General’s office and includes requirements to upgrade Uber’s security policies.

12. Morgan Stanley: $155 million (total)

Year issued: 2022

Continuing our theme of costly mistakes, we have Morgan Stanley, a banking institution familiar with privacy concerns. Over a five-year period that began in 2015, Morgan Stanley contracted a moving company without experience in data destruction to decommission thousands of devices. The company in question sold many of these devices, with unencrypted personal data still intact, to third parties.

The U.S. Securities and Exchange Commission (SEC) fined Morgan Stanley $35 million for its failure to safeguard personal information, and along with fines from the OCC and a legal settlement that cost the company an additional $60 million, Morgan Stanley has felt the effect of its data privacy breach.

13. Anthem: $115 million

Year issued: 2018

In 2015, Anthem Inc.—the largest health insurance company in the U.S.—experienced a data breach that compromised the personal information of 79 million individuals. The $115 million cost to Anthem was paid to settle litigation against the company. Claimants argued that Anthem failed to protect the personal information of its customers. This settlement was, at the time, the largest settlement on record for a data breach.

14. Zoom: $85 million

Year issued: 2021

Zoom skyrocketed in popularity during the 2020 COVID-19 pandemic lockdowns, though its soaring stock price brought with it a new set of challenges the company was unprepared to handle. Zoom was fined $85 million by the FTC in 2021 because they falsely claimed that its video conferencing platform provided end-to-end encryption and because they failed to safeguard user data that was shared with third-party services such as Facebook and LinkedIn.

15. Capital One: $80 million

Year issued: 2020

Plagued by ongoing privacy and data security concerns, Capital One was fined $80 million in 2020 by the OCC for a data breach that occurred one year prior in 2019. The fine was imposed on Capital One because it failed to establish effective risk management practices and failed to correct known deficiencies in its cyber security program. The same issue affected Capital One again in the following year.

16. Anthem: $39.5 million

Year issued: 2020

Related to the 2015 data breach, Anthem’s troubles weren’t resolved with the $115 million litigation settlement. Later, Anthem was brought to the task before a multi-state coalition of U.S. Attorney Generals who levied an additional $39.5 million fine against the insurance provider.

17. Yahoo!: $35 million

Year issued: 2019

Yahoo! experienced a series of cyberattacks that occurred in 2013 and 2014. These attacks compromised the records of hundreds of millions of user accounts. This remains one of the largest data breaches in history, and worse yet, Yahoo! reportedly took steps to obscure the extent of the damage to shareholders. The breach was not revealed to the investing public until two years after the incident occurred. This earned the company a $35 million fine from the SEC in 2019.

18. AT&T: $25 million

Year issued: 2015

Telecom company AT&T was hit with a $25 million FTC fine in 2015 for data security breaches. The fine was imposed on AT&T because it failed to protect the personal information of its customers from breaches that occurred at call centers in Mexico, Colombia, and the Philippines. This resulted in the disclosure of nearly 280,000 customer profiles.

19. Google: $22.5 million

Year issued: 2012

The FTC fined Google $22.5 million in 2012 because it violated an agreement on online privacy. The fine was imposed for misrepresenting its privacy practices to users of Apple's Safari web browser and was, at the time, the largest FTC penalty on record for a violation of a commission order. Part of this ruling ordered Google to disable its illicitly-placed tracking cookies on user devices.

20. Uber: $20 million

Year issued: 2017

Uber was ordered by the FTC to pay $20 million in 2017 for misleading drivers about their earnings potential as well as details related to vehicle financing. These collected funds will be used to reimburse drivers affected by Uber’s policy, and Uber was ordered to alter its marketing to get more in touch with reality.

21. Target: $18.5 million

Year issued: 2017

Following a massive data breach that occurred in 2013, Target was confronted by 47 U.S. states and ordered to pay $18.5 million in restitution. The fine was imposed due to Target’s failure to protect the personal information of its customers. As a result, 225,000 consumers joined class-action litigation against the retailer. Part of the settlement included an order to reform and revitalize Target’s flagging cybersecurity system.

22. TikTok: $5.7 million

Year issued: 2019

In 2019, the popular social media and spyware app TikTok was fined $5.7 million by the FTC. The fine was imposed on TikTok, formerly known as Musical.ly, because it illegally collected personal information from children under 13 without parental consent.

23. Zoetop: $1.9 million

Year issued: 2022

Next, we have Zoetop, an eCommerce retailer. Zoetop experienced a cyberattack in 2018 that compromised the personal details of tens of millions of consumers worldwide. This cost the company $1.9 million in fines. 

According to the New York Office of the Attorney General, Zoetop “failed to properly safeguard consumers’ information prior to the data breach, failed to take adequate steps to protect many of the impacted accounts after the breach, and downplayed the extent of the cyberattack to consumers.”

24. Sephora: $1.2 million

Year issued: 2022

Thanks to a relatively new mandate—the California Consumer Privacy Act (CCPA)—Sephora was fined $1.2 million for a series of user data missteps. The company was faulted for failing to inform shoppers that their personal data would be sold and for failing to let users opt out of these sales. This fine is notable as the first penalty issued under the CCPA, which came into action in 2018.

25. CafePress: $500,000

Year issued: 2022

In 2022, eCommerce vendor CafePress faced FTC scrutiny when it covered up a data breach and failed to maintain adequate cybersecurity and data protection practices. As part of a restitution order, the company was ordered to pay $500,000 in redress for the affected entities as well as develop a more robust information security program moving forward.

Protect Your Business From a Costly Compliance Mistake

While powerhouse legislation like GDPR will continue to dominate data privacy news, it’s not the only compliance framework that businesses should worry about. From regional mandates like CCPA to user-centric regulations like COPPA, compliance can take many forms--and failure to stay on top of these changing rules can cost businesses big. 

Solutions like Enzuzo help companies master their compliance obligations with just a few clicks. With our help, it’s easy to stay on top of changing regulatory laws and ensure your company has the tools it needs to remain successful in the coming years.