59 Biggest Data Breach Fines & Privacy Violations ($500k Plus)

Regulators worldwide continue to intensify scrutiny of companies that fail to maintain adequate data protection standards. Below are 59 of the biggest data privacy fines, penalties, and settlements to date including both cyberattacks and privacy oversights by the offending companies.

This list is ranked by dollar amount, with the biggest breaches at the top. The fines are both regulatory fines (from government authorities) and payments made to settle litigation, lawsuits, and other investigations related to the violations in question. For many companies, these class-action lawsuits produced more substantial penalties than the regulatory fines themselves.

1. Facebook (Cambridge Analytica): $5 billion

Year issued: 2019

It's no surprise that Facebook tops our list with a $5 billion fine levied by the U.S. Federal Trade Commission (FTC) in 2019 for the Cambridge Analytica scandal and other privacy violations. The fine was the largest ever set by the FTC and came on the back of widespread public outcry over Facebook's mishandling of user information. The sheer size of Facebook's breach and the highly-publicized political implications made this the highest-profile data privacy scandal in recent memory. While the purported

2. Meta (Texas Biometric Settlement): $1.4 billion

Year issued: 2024

In July 2024, the Texas Attorney General secured a record $1.4 billion settlement with Meta for unlawfully capturing and using the biometric data of millions of Texans without consent. The case centered on Facebook's "Tag Suggestions" feature, which ran facial recognition software on virtually every face in uploaded photographs for over a decade. This settlement is the largest ever obtained from an action brought by a single U.S. state and represents the first enforcement action under the Texas Capture or Use of Biometric Identifier Act (CUBI).

3. Meta (GDPR Data Transfers): $1.3 billion

Year issued: 2023

In May 2023, the Irish Data Protection Commission (DPC) imposed the largest GDPR fine in history—€1.2 billion ($1.3 billion)—on Meta for unlawfully transferring European users' personal data to the United States. The ruling followed years of legal uncertainty after the Schrems II court decision invalidated the EU-US Privacy Shield. The DPC found that Meta's reliance on Standard Contractual Clauses was insufficient to protect EU citizens' data from potential U.S. government surveillance. 

4. Didi Global (Personal Data Protection): $1.2 billion

Year issued: 2022

Known advocates for user privacy, the Chinese government fined ride-hailing company Didi Global a total of 8 billion Yuan ($1.2 billion) for a series of violations related to data security and personal information protection. According to regulators, Didi had collected millions of pieces of illegally-obtained user information over seven years and used that in a fashion that had the potential to harm national security.

5. Amazon (GDPR Violation): $886 million

Year issued: 2021

The Luxembourg National Commission for Data Protection slapped Amazon with a record €746 million ($886 million) for violating GDPR. The fine stemmed from a complaint filed by 10,000 people through French privacy rights group La Quadrature du Net, which alleged Amazon had manipulated customers for commercial means by choosing what advertising and information they received. The CNPD found infringements regarding Amazon's advertising targeting system, which was carried out without proper consent. 

6. Equifax (Data Breach): $700 million

Year issued: 2019

On the back of one of the largest user data breaches in history, Equifax was fined $700 million by the FTC in 2019 for its infamous 2017 data breach. The fine was imposed on Equifax for failing to take adequate measures to protect the personal information of approximately 147 million people. Reports suggest that hackers operated on Equifax's network for months before detection. In the end, Equifax settled to pay between $575 and

7. TikTok (Data Transfers to China): $600 million

Year issued: 2025

In May 2025, Ireland's DPC fined TikTok €530 million ($600 million) for transferring European users' personal data to servers in China without ensuring protections equivalent to those required under EU law. The investigation revealed that engineers in China had routine access to sensitive EEA user information. Worse, TikTok had assured regulators that it did not store European data in China—a claim later found to be inaccurate. This is the third-largest GDPR fine ever issued. Read more →

8. Meta (Spain – Unfair Ad Practices): $540 million

Year issued: 2025

A Madrid court hit Meta with a massive €479 million ($540 million) fine after finding the company had unlawfully processed user data to gain an unfair competitive advantage in the online advertising market. The ruling sided with 87 Spanish media companies who argued that Meta's data practices distorted competition. The appeals process could take up to four years, with fines on hold until all legal options are exhausted. 

9. Epic Games (Privacy Violations): $520 million

Year issued: 2022

In a record-breaking settlement that involved the Children's Online Privacy Protection Act (COPPA), Epic Games, the creator of Fortnite, was fined a whopping $520 million by the FTC. The action involved two record-breaking settlements: $275 million in fines for violating COPPA, and $245 million in additional fees as reimbursement for affected consumers. "As our complaints note, Epic used privacy-invasive default settings and deceptive interfaces that tricked Fortnite users, including teenagers and children," noted FTC Chair Lina M. Khan.

10. T-Mobile (Cyberattack Prevention): $500 million

Year issued: 2022

T-Mobile suffered a cyberattack in 2021 that exposed the personal data of over 76 million people and led to a lawsuit and eventual settlement of $500 million—$350 million in customer restitution and $150 million paid toward upgrades to T-Mobile's cybersecurity systems. Then, T-Mobile experienced another cyberattack on January 19, 2023, just days before the opt-in period for its previous legal settlement was to close.

11. Meta (Instagram – Children’s Data): $405 million

Year issued: 2022

In September 2022, Ireland's DPC fined Meta €405 million for violating children's data privacy on Instagram. The platform had defaulted teen accounts to public during the sign-up process, exposing phone numbers and email addresses. Some young users who upgraded to business accounts had their personal contact details made openly accessible. Meta said it planned to appeal, claiming the settings had already been updated.

12. Meta (Personalized Ads): $390 million

Year issued: 2023

In January 2023, the Irish DPC fined Meta €390 million after finding that the company relied on a consent clause buried in its Terms of Service to show users personalized ads—a practice found to be non-compliant with GDPR. The case originated from complaints filed by privacy advocacy group NOYB and concluded that Meta lacked a valid legal basis for processing personal data for ad targeting purposes.

13. TikTok (Children’s Privacy): $390 million

Year issued: 2023

In September 2023, Ireland's DPC fined TikTok €345 million ($390 million) for failing to protect children's privacy. The investigation found that teen accounts were set to public by default, allowing anyone to view and comment on their videos. This was TikTok's first major GDPR fine and highlighted growing regulatory attention to how social media platforms handle minors' data.

14. LinkedIn: $336 million

Year issued: 2024

In October 2024, the Irish DPC fined LinkedIn €310 million ($336 million) for violating GDPR in its advertising practices. The investigation, sparked by a 2018 complaint from French nonprofit La Quadrature Du Net, found that LinkedIn used member data and third-party data for behavioral analysis and targeted advertising without valid consent, legitimate interest, or contractual necessity. LinkedIn was ordered to bring its data practices into compliance. Read more →

15. Uber (GDPR – Driver Data Transfers): $324 million

Year issued: 2024

In August 2024, the Dutch Data Protection Authority fined Uber €290 million ($324 million) for transferring sensitive European driver data to the US without adequate safeguards. The investigation, launched after complaints from over 170 French drivers, revealed that Uber retained license details, payment info, location data, and even medical and criminal records on US servers. Uber had stopped using Standard Contractual Clauses in 2021, leaving the data exposed.  

16. Meta (533 Million User Data Breach): $277 million

Year issued: 2022

In November 2022, the Irish DPC fined Meta €265 million ($277 million) after a dataset containing personal information of 533 million Facebook users was discovered on a hacking website. The investigation found that Meta had failed to comply with GDPR obligations for Data Protection by Design and Default, leaving users' names, phone numbers, and other personal details vulnerable to scraping and exposure.  

17. Meta (2018 Facebook Breach): $264 million

Year issued: 2024

In September 2024, the Irish DPC fined Meta €251 million ($264 million) for a 2018 Facebook breach that exposed the personal data of 29 million users globally, including 3 million in the EU/EEA. The breach, caused by a flaw in the "view as" feature, compromised sensitive information such as names, contact details, religious views, and group memberships. The DPC found Meta failed to implement privacy by design and submitted incomplete breach notifications.  

18. WhatsApp: $255 million

Year issued: 2021

In September 2021, Ireland's DPC fined WhatsApp €225 million ($255 million) for GDPR transparency violations. The messaging service, owned by Meta, was found to have provided insufficient information to users about how their personal data was processed and on what legal basis. The investigation began in 2018 and involved a lengthy enforcement process where the DPC's initial proposed sanctions were rejected by European counterpart regulators as too lenient.  

19. Google LLC (Gmail Ads – France): $225 million

Year issued: 2025

France's data watchdog CNIL fined Google LLC €200 million ($225 million) for inserting advertisements disguised as emails into Gmail users' inboxes without valid consent. The CNIL ruled that this practice amounted to unsolicited direct marketing, violating EU privacy law. It also criticized Google's account-creation process for unfairly steering users toward accepting advertising cookies.

20. Home Depot: $200+ million

Year issued: 2014

Between April 10th and September 13th, 2014, hackers infiltrated Home Depot's self-checkout point-of-sale system and infected devices with personal information-skimming malware. The Connecticut Attorney General deemed that Home Depot had failed to take necessary precautions to prevent the theft of customer information. While the exact sum of these expenses is unknown, it's estimated that Home Depot's cyberattack cost the company more than $200 million in investigations and settlements.

21. Capital One: $190 million

Year issued: 2021

While not a regulatory fine proper, Capital One's infamous 2019 data breach is notable both for its scope (over 100 million people affected) as well as its repetitive nature. Capital One received an $80 million fine from the U.S. Office of the Comptroller of the Currency (OCC) in 2020 for a similar vulnerability. The cyberattack resulted in a class-action lawsuit settlement of $190 million, though Capital One denied all liability.

22. SHEIN (France – Cookie Consent): $170 million

Year issued: 2025

France's CNIL fined SHEIN (Infinite Styles Services Co. Ltd) €150 million ($170 million) for placing advertising cookies on users' devices before they could consent. The investigation found that SHEIN's cookie banners were incomplete and misleading, omitting details about advertising purposes, providing no information about third-party cookies, and making it difficult for users to refuse or withdraw consent. Read more →

23. Google: $170 million

Year issued: 2019

Google was slapped with a $170 million FTC fine in 2019 for violating COPPA. Regulators claimed that Google had illegally collected personal information from children under 13 who accessed YouTube. This penalty was far exceeded by Epic Games in 2022, though at the time, Google's penalty represented one of the largest COPPA-related fines to date.

24. Morgan Stanley: $155 million (total)

Year issued: 2022

Over a five-year period beginning in 2015, Morgan Stanley contracted a moving company without experience in data destruction to decommission thousands of devices. The company sold many of these devices, with unencrypted personal data still intact, to third parties. The U.S. SEC fined Morgan Stanley $35 million for its failure to safeguard personal information, and along with fines from the OCC and a legal settlement that cost the company an additional $60 million, the total exceeded $155 million.

25. Twitter: $150 million

Year issued: 2022

Twitter caught fire in 2022 when it allowed advertisers to access personal information that was purportedly collected for purposes of account security. This violated a 2011 FTC order that prohibited the company from misrepresenting its security and privacy practices. In response, the FTC fined Twitter $150 million and banned the company from profiting from its deceptive use of user data.

26. Uber: $148 million

Year issued: 2018

In an expensive bit of procrastination, rideshare service Uber agreed to pay $148 million in restitution because it failed to report a data breach that had occurred in 2016. The breach involved a cyberattack that compromised the personal information of approximately 600,000 Uber drivers, but the company didn't inform those affected until nearly a year later.

27. Google Ireland (Cookie Consent – France): $141 million

Year issued: 2025

France's CNIL fined Google Ireland Limited €125 million ($141 million) for failing to properly inform users about the use of advertising cookies during the account creation process. Users were not clearly told about third-party data collection and were not given a simple way to refuse cookies, rendering their consent invalid under GDPR.

28. Anthem: $115 million

Year issued: 2018

In 2015, Anthem Inc.—the largest health insurance company in the U.S.—experienced a data breach that compromised the personal information of 79 million individuals. The $115 million cost to Anthem was paid to settle litigation against the company. Claimants argued that Anthem failed to protect the personal information of its customers. This settlement was, at the time, the largest on record for a data breach.

29. Meta (Plaintext Passwords): $102 million

Year issued: 2024

In September 2024, the Irish DPC fined Meta €91 million ($102 million) after an inquiry revealed the company had inadvertently stored certain user passwords in plaintext on its internal systems—meaning no cryptographic protection or encryption was in place. While Meta said there was no evidence the passwords were accessed improperly, the DPC found the company breached GDPR by failing to ensure the ongoing confidentiality of user credentials.

30. Google LLC (YouTube Cookies – France): $101 million

Year issued: 2021

In December 2021, France's CNIL issued a €90 million ($101 million) fine against Google LLC for non-compliance with the French Data Protection Act regarding cookie consent on YouTube. The case was part of a broader CNIL crackdown on how major tech platforms handled cookie consent for French users.  

31. Enel Energia (Italy): $89 million

Year issued: 2024

In February 2024, Italy's data protection authority (Garante) fined Enel Energia SpA €79.1 million ($89 million) for GDPR violations uncovered during an investigation by the Guardia di Finanza. The investigation revealed that Enel had unlawfully acquired 978 contracts from four companies using illicit customer lists, and failed to implement adequate security measures in its customer management system.  

32. Zoom: $85 million

Year issued: 2021

Zoom skyrocketed in popularity during the 2020 COVID-19 pandemic lockdowns, though its soaring stock price brought with it new challenges. Zoom was fined $85 million by the FTC in 2021 because it falsely claimed that its video conferencing platform provided end-to-end encryption and because it failed to safeguard user data that was shared with third-party services such as Facebook and LinkedIn.

33. T-Mobile USA (FCC – Location Data): $80 million

Year issued: 2024

In April 2024, the FCC fined T-Mobile USA $80 million for disclosing customers' location data to third parties without consent. The FCC's investigation revealed that T-Mobile had shared precise location information without authorization, violating the privacy protections enshrined in the Communications Act. The fine was part of a broader FCC crackdown on wireless carriers' location data practices.  

34. Capital One: $80 million

Year issued: 2020

Plagued by ongoing privacy and data security concerns, Capital One was fined $80 million in 2020 by the OCC for a data breach that occurred one year prior in 2019. The fine was imposed because Capital One failed to establish effective risk management practices and failed to correct known deficiencies in its cybersecurity program.

35. Google Ireland (Cookie Consent – France, €60M): $67 million

Year issued: 2021

On the same day as the €90 million fine to Google LLC, France's CNIL also issued a separate €60 million ($67 million) fine to Google Ireland for the exact same cookie consent violations on Google services in France. The dual fines reflected the CNIL's view that both the US and Irish entities bore responsibility for cookie practices affecting French users.

36. Lehigh Valley Health Network: $65 million

Year issued: 2024

Pennsylvania healthcare company Lehigh Valley Health Network (LVHN) agreed to a class action lawsuit settlement worth $65 million in September 2024 following a ransomware attack that exposed the medical records of 600 patients and employees. The settlement is believed to be the largest of its kind on a per-patient basis in a healthcare data breach-ransomware case, sending a strong message about the consequences of failing to protect medical data. →

37. AT&T (FCC – Location Data): $57 million

Year issued: 2024

As part of the same FCC investigation into wireless carriers' location data practices, AT&T was fined $57.3 million in April 2024 for disclosing customers' location data to third parties without consent. Like T-Mobile, AT&T had failed to protect proprietary customer information as required by the Communications Act. 

38. Marriott International: $52 million

Year issued: 2024

Marriott International reached a $52 million settlement with all 50 U.S. states in 2024 related to a multi-year data breach that affected over 131 million users of its Starwood guest reservation database. The allegations involved failure to comply with consumer protection laws, privacy laws, and data security standards across the hospitality giant's systems.

39. Vodafone Germany: $51 million

Year issued: 2025

Germany's federal data protection commissioner fined Vodafone GmbH a combined €45 million ($51 million) in two separate offenses in 2025. The larger fine (€30 million) was for security flaws in the authentication process for customers using the MeinVodafone online portal and customer hotline, which enabled unauthorized access to customer eSIM profiles. The smaller fine (€15 million) was for failing to properly oversee contracts with third-party agencies.

40. Verizon Communications: $47 million

Year issued: 2024

Verizon Communications was fined $46.9 million by the FCC as part of the same April 2024 investigation into wireless carriers sharing customer location data. Like T-Mobile and AT&T, Verizon was found to have passed customer location information to third parties without first obtaining consent. "Wireless carriers have an obligation to protect our location data," said FCC Chairwoman Jessica Rosenworcel.  

41. Anthem: $39.5 million

Year issued: 2020

Related to the 2015 data breach, Anthem's troubles weren't resolved with the $115 million litigation settlement. Later, Anthem was brought before a multi-state coalition of U.S. Attorney Generals who levied an additional $39.5 million fine against the insurance provider.

42. Amazon France Logistique: $36 million

Year issued: 2023

In December 2023, France's CNIL fined Amazon France Logistique €32 million ($36 million) for excessively intrusive employee monitoring and insufficient data security measures. Warehouse employees were closely tracked using handheld scanners that recorded productivity, idle time, and task speed down to the second. The CNIL deemed this level of surveillance disproportionate and said it created undue pressure on workers.

43. Yahoo!: $35 million

Year issued: 2019

Yahoo! experienced a series of cyberattacks in 2013 and 2014 that compromised the records of hundreds of millions of user accounts. This remains one of the largest data breaches in history, and worse yet, Yahoo! reportedly took steps to obscure the extent of the damage to shareholders. The breach was not revealed to investors until two years after the incident occurred, earning the company a $35 million fine from the SEC.

44. Clearview AI: $34 million

Year issued: 2024

In September 2024, the Dutch Data Protection Authority fined Clearview AI €30.5 million ($34 million) for building an illegal facial recognition database by scraping billions of images from the internet without users' consent. The American company's use of this data for intelligence purposes raised significant privacy concerns. In addition to the fine, Clearview faces ongoing penalty payments if violations continue, and the Dutch DPA is considering holding the company's directors personally accountable.

45. 23andMe: $30 million

Year issued: 2024

Genetic testing company 23andMe reached a $30 million settlement in 2024 resulting from a class action over a data breach that exposed customers' ancestry data. The breached accounts were not protected by multi-factor authentication, and attackers are believed to have used credentials reused across multiple websites. 23andMe denied any wrongdoing in the settlement agreement.

46. AT&T: $25 million

Year issued: 2015

Telecom company AT&T was hit with a $25 million FTC fine in 2015 for data security breaches. The fine was imposed because AT&T failed to protect the personal information of its customers from breaches that occurred at call centers in Mexico, Colombia, and the Philippines, resulting in the disclosure of nearly 280,000 customer profiles.

47. Google: $22.5 million

Year issued: 2012

The FTC fined Google $22.5 million in 2012 for misrepresenting its privacy practices to users of Apple's Safari web browser. At the time, it was the largest FTC penalty on record for a violation of a commission order. Part of this ruling ordered Google to disable its illicitly placed tracking cookies on user devices.

48. Uber: $20 million

Year issued: 2017

Uber was ordered by the FTC to pay $20 million in 2017 for misleading drivers about their earnings potential as well as details related to vehicle financing. These collected funds were used to reimburse drivers affected by Uber's policy, and Uber was ordered to alter its marketing.

49. Target: $18.5 million

Year issued: 2017

Following a massive data breach in 2013, Target was confronted by 47 U.S. states and ordered to pay $18.5 million in restitution for failing to protect the personal information of its customers. As a result, 225,000 consumers joined class-action litigation against the retailer. Part of the settlement included an order to reform Target's cybersecurity system.

50. Capita (UK): $18 million

Year issued: 2025

The UK's Information Commissioner's Office (ICO) fined outsourcing firm Capita £14 million ($18 million) in October 2025 for security failings that led to a massive ransomware breach in 2023. The attack exposed sensitive personal data and raised serious questions about the company's cybersecurity preparedness, particularly given its role as a major government contractor.  

51. T-Mobile (FCC Security Settlement): $15.75 million

Year issued: 2024

Separately from its location data fine, T-Mobile reached a $15.75 million settlement with the FCC over several security incidents spanning 2021 to 2023 that resulted in millions of consumers' personal data being accessed by cyber criminals. In addition to the fine, T-Mobile was required to invest an equal amount ($15.75 million) toward upgrading its cybersecurity practices and safeguards.

52. Luka Inc. (Replika AI Chatbot): $5.8 million

Year issued: 2025

Italy's Garante fined US AI firm Luka Inc. €5 million ($5.8 million) for GDPR violations related to its Replika chatbot. The regulator found that Luka collected and processed personal and behavioral information without obtaining proper consent, that its privacy notices were too opaque, and critically, that no age verification measures were in place—meaning children under 13 could access the platform.

53. TikTok: $5.7 million

Year issued: 2019

In 2019, TikTok (formerly known as Musical.ly) was fined $5.7 million by the FTC for illegally collecting personal information from children under 13 without parental consent, violating COPPA.

54. ING Bank Śląski (Poland): $5.1 million

Year issued: 2025

Poland's UODO data protection authority imposed a €4.4 million ($5.1 million) fine on ING Bank Śląski S.A. for unlawfully processing personal data. The bank was found to have scanned customer and prospective customers' identity documents without checking whether this was justified under the EU's Act on Counteracting Money Laundering and Financing of Terrorism.

55. Acea Energia (Italy): $3.4 million

Year issued: 2025

Italy's data protection authority (Garante) fined energy company Acea Energia S.p.A. €3 million ($3.4 million) in 2025 for data protection violations related to the handling of energy customer data, contributing to a growing trend of enforcement actions targeting European utilities.  

56. Zoetop: $1.9 million

Year issued: 2022

eCommerce retailer Zoetop experienced a cyberattack in 2018 that compromised the personal details of tens of millions of consumers worldwide. According to the New York Office of the Attorney General, Zoetop "failed to properly safeguard consumers' information prior to the data breach, failed to take adequate steps to protect many of the impacted accounts after the breach, and downplayed the extent of the cyberattack to consumers." Read more →

57. Healthline (CCPA – California): $1.55 million

Year issued: 2025

In 2025, California Attorney General Rob Bonta announced a $1.55 million settlement with Healthline relating to alleged data privacy violations of the California Consumer Privacy Act (CCPA) and the state's Unfair Competition Law. The case highlights the growing enforcement of US state-level privacy regulations beyond the EU's GDPR framework.

58. Sephora: $1.2 million

Year issued: 2022

Thanks to the California Consumer Privacy Act (CCPA), Sephora was fined $1.2 million for a series of user data missteps. The company was faulted for failing to inform shoppers that their personal data would be sold and for failing to let users opt out of these sales. This fine is notable as the first penalty issued under the CCPA, which came into action in 2018.

59. CafePress: $500,000

Year issued: 2022

In 2022, eCommerce vendor CafePress faced FTC scrutiny when it covered up a data breach and failed to maintain adequate cybersecurity and data protection practices. The company was ordered to pay $500,000 in redress for affected entities as well as develop a more robust information security program.

Protect Your Business From a Costly Compliance Mistake

From GDPR in Europe to CCPA in California to COPPA and FTC enforcement in the US, compliance obligations continue to multiply. Failure to stay on top of these changing rules can cost businesses both money and brand reputation.

As this list demonstrates, no company is too large to escape scrutiny, and penalties are only growing. Solutions like Enzuzo help companies master their compliance obligations with just a few clicks. With the right tools, it’s easy to stay on top of changing regulatory laws and ensure your company has what it needs to remain successful in the coming years.

Book a call to see how Enzuzo can help power your data privacy program