The cost of a data breach is becoming more pricey—especially with the introduction of international data protection laws such as the EU’s General Data Protection Regulation (GDPR) in 2018. According to IBM, a breach of 1 million records has an average total cost of 42 million USD, which represents an eight percent growth from 2018. 

This article lists the highest data fines in history. You should note that these figures only take account of penalties paid to regulatory bodies. It doesn’t include other expenses such as lawyer fees, the cost of patching up security, losses due to reputational damage and loss of customers, post-breach share price drop, and more.   

7. Yahoo – 117.5 million USD

In 2013, Yahoo suffered what could be one of the most massive data breaches in history, affecting all 3 billion user accounts registered at that time. But that wasn’t the end, another major breach followed in 2014, which compromised about 500 million accounts.

Yahoo Inc. agreed to pay a fine of 117.5 million USD over the series breaches.  The affected users who are residents of the United States or Israel are given at least 100 USD in compensation or two years of free credit monitoring services. On top of that, the breaches knocked about 350 million USD off of Yahoo’s original sale price. Not to mention the uncountable hidden costs due to reputational damage and loss of customers. 

6. Marriott International – 124 million USD

Hotel giant Marriott International suffered a massive data breach exposing personal records, which includes credit card information, addresses, and passport numbers of at least half a billion customers. The assault started as early as 2014 and went undetected for four years. In 2019, Marriott International was charged with 99,200,396 GBP or around 123,705,870 USD fine for violating the General Data Protection Regulation (GDPR). 

The stolen data has not popped up for sale on the dark web, which means the attackers weren’t looking to earn money. Cybersecurity experts presume the perpetrator it could be a state actor collecting data for intelligence purposes. On the day the breach was announced, Marriot International’s stock value went down by 5 percent.

5. Uber – 148 million USD

In 2018, ride-sharing app Uber was fined 148 million USD over a breach affecting 600,000 drivers and 57 million user accounts. The fine could have been lower if the company had not committed a mistake of trying to conceal the incident.

The perpetrators stole personal information from the company’s data that was stored on Amazon Web Services from October 2016 to January 2017.  The company paid the attackers 100,000 USD in ransom to keep the hack a secret. 

4. Epsilon – 225 million USD 

Epsilon, an email marketing service provider, suffered a data breach in 2011. While only names and emails were exposed, some industry experts called it the hack of the century as the company processed email details of some major financial institutions and hotel chains. Some of its big-name clients include Target, Chase, and Marriott International.

The company had to pay 225 million USD in liabilities, while loss business estimates are about 45 million USD. At the worst-case scenario, cybersecurity experts estimate that the total losses could run as high as 3 billion USD to 4 billion USD depending on how hackers utilize stolen email addresses.  

3. British Airways – 230 million USD

British Airways was fined a hefty sum of 183.39 million GBP or around 230 million USD in 2019 by the ICO (Information Commissioner Office). This penalty was due to a breach that occurred in September 2018, leaking sensitive information of half a million customers. 

According to investigations, users of British Airways’ website were diverted to a fraudulent site used by hackers harvesting sensitive information. Details exposed in the breach included names, email addresses, and credit card information. 

2. Equifax – 700 million USD

Equifax was fined by the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau up to 700 million USD following a massive breach in 2017. The proposed penalty could go between US$ 650 and US$ 700 million, depending on how many users claim their compensation.

The data breach compromised critical information. Including credit card numbers, social security numbers, and driver’s license numbers of about 143 million American users. The breach also lowered the credit-monitoring company’s valuation by $4 billion. Atlanta-based consumer credit reporting agency,

1. Facebook – 5 billion USD

Facebook broke the record of the highest fine imposed by the FTC. The social media platform has agreed to pay 5 billion USD in 2019 over various privacy breaches. Including the infamous Cambridge Analytica scandal. The FTC also ordered Facebook to adopt new policies regarding data protection. Which would also be imposed on other social media platforms.

Facebook has previously paid a penalty of 500,000 GBP or around 645,000 USD penalty to the ICO. Due to its failure to protect user data gathered by political data firm Cambridge Analytica through the platform.

Visit to watch quick videos on how to eliminate the #1 threat of a data breach by going passwordless.