Large-scale data breaches and privacy violations have become a common occurrence over the past decade amid the vast collection of personal information online.
In response, a plethora of data protection and cybersecurity regulations have come into force, enabling authorities get tougher with businesses who fail to adequately protect individuals’ personal data.
Eye-watering financial penalties for cybersecurity and privacy failings have become commonplace in the EU since the General Data Protection Regulation (GDPR) came into effect in 2018, with authorities taking a particularly hard line since mid-2021.
This approach aims to send a strong message to organizations that they must implement robust controls and solutions to protect people’s personal data.
In 2024 we have seen a continuation of this trend across the EU, while over in the US, regulators have also stepped up the consequences for data protection violations.
In the US in particular, class action lawsuits for data breaches and privacy violations have become commonplace, further increasing the consequences for businesses of not securing user data.
Top 10 Biggest Fines and Settlements for Data Security Failings in 2024
This year, financial settlements in the US, with regulators and data breach victims, were particularly prominent, including Meta agreeing to pay Texas a huge $1.4bn for unlawful biometric data capture.
Additionally, EU regulators continued to get tough with big tech over privacy and security breaches relating to the GDPR.
Here are Infosecurity’s top 10 data protection fines and settlements for 2024.
Meta to Pay Texas $1.4bn for Unlawful Biometric Data Capture
In July, the State of Texas revealed it reached a $1.4bn settlement with social media giant Meta for unlawfully capturing and using biometric data of millions of Texans.
The settlement concludes a lawsuit filed by Texas Attorney General Ken Paxton in February 2022, which alleged that Meta unlawfully captured Texans’ biometric data without obtaining their informed consent, breaching Texas’s Capture or Use of Biometric Identifier (CUBI) Act and The Deceptive Trade Practices Act.
The lawsuit relates to the Tag Suggestions feature on Meta’s Facebook which was rolled out in 2011. This made it easier for users to ‘tag’ photographs with the names of people in the photo.
Facebook ran facial recognition software on virtually every face contained in the photographs uploaded to the social media platform, capturing records of the facial geometry of the people depicted.
This process was undertaken without informing or obtaining the consent of Facebook users.
The agreement is the largest ever privacy settlement in the US to date.
Irish Data Protection Watchdog Fines LinkedIn $336m
The Irish Data Protection Commission (DPC) issued a €310m ($336m) fine to LinkedIn in October for violating the GDPR in its advertising practices.
LinkedIn used information it received directly from its members as well as data obtained via its third-party partners relating to its members for the purposes of behavioral analysis and targeted advertising.
The DPC concluded that LinkedIn infringed Articles 5, 6, 13 and 14 of the GDPR for failing to request formal consent from users to process third-party data, not ensuring legitimate interest for processing the first-party personal data of its members and failing to ensure users’ personal data was collected following a principle of fairness.
Uber Hit with $324m Penalty for Failing to Protect Driver Data
Transportation firm Uber was hit by a €290m ($324m) fine by the Dutch Data Protection Authority (AP) in August for violating the GDPR by storing driver data in the US without adequate safeguards.
Specifically, the penalty related to concerns that European citizens’ human rights may be endangered if their data is stored in the US without safeguards, as their personal data may otherwise be accessed and queried by law enforcement and intelligence agencies there.
The AP claimed Uber had not used Standard Contractual Clauses (SCCs) or other means to ensure that citizens’ personal data stored on US servers received levels of protection equivalent to those in the EU.
It said that sensitive personal information included account details, taxi licenses, location data, photos, payment details, IDs and in some cases drivers’ criminal and medical records. These were transferred to Uber’s headquarters in the US for over two years without proper safeguards, the AP added.
Meta Fined $102m for Mishandling Users’ Passwords
In September, Ireland’s DPC announced it had fined Meta €91m ($102m) for mishandling social media users’ passwords and GDPR infringement.
The initial inquiry began in April 2019 after Meta notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems, meaning no cryptographic protection or encryption was in place.
This was considered a severe security failing as such information would enable access to users’ social media accounts.
Meta said that there is no evidence the passwords were abused or accessed improperly.
However, the firm was found to have breached GDPR in numerous ways, including not ensuring the ongoing confidentiality of user passwords.
Lehigh Valley Health Network Reaches Settlement After Patient Photos Hacked
Pennsylvania healthcare company Lehigh Valley Health Network (LVHN) agreed a class action lawsuit worth $65m in September following a medical record hack affecting 600 patients and employees.
The lawsuit began in March 2023 after hackers accessed highly sensitive data held by LVHN including addresses, email addresses, dates of birth, Social Security numbers and passport information, alongside various medical data and some nude photos.
The settlement is believed to be the largest of its kind, on a per-patient basis, in a healthcare data breach-ransomware case.
Marriott Reaches $52m Settlement with US States for Massive Data Breach
Hotel giant Marriott agreed to pay a $52m settlement to 50 US states in October for a large multi-year data breach impacting 131.5 million American customers.
The 50-state settlement followed an investigation conducted by the Federal Trade Commission (FTC) and 50 state attorney generals into a breach of a Starwood guest reservation database that was discovered in September 2018.
It is estimated that 339 million guest records were exposed globally in the incident, in which attackers accessed the database undetected from July 2014 to September 2018.
Marriott acquired Starwood in 2016 and had control of the hotel group’s computer network from this time.
The impacted records included guests’ personal details and a limited number of unencrypted passport numbers and unexpired payment card information.
The agreement settles allegations by the attorney generals that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies.
As part of the settlement, Marriott has also agreed to strengthen its cybersecurity practices.
23andMe Agrees to $30m Data Breach Settlement
Biotech firm 23andMe announced in September it had agreed to pay $30m to victims of a major data breach in 2023.
Over six million individuals’ information was accessed following the data breach, including a significant number of files containing information about users’ ancestry.
It was revealed that hackers originally gained access to a small number of user accounts via previously compromised credentials because these accounts were not protected by MFA. They were subsequently able to scrape data from additional users who had registered with the DNA Relatives feature.
The company denied any wrongdoing in the settlement agreement and previously argued that the fault for the breach lay with users for reusing credentials.
T-Mobile to Pay $15.75m Settlement for Multiple Data Breaches
In October, T-Mobile agreed a $15.75m settlement with the US Federal Communications Commission (FCC) for multiple cybersecurity incidents that led to millions of customers’ data being breached.
The civil penalty related to a series of incidents in 2021, 2022 and 2023, which have all been subject to FCC investigations. Among the data accessed in the incidents included customer Social Security numbers and customer proprietary network information.
In addition to the civil penalty, which will be paid to the US Treasury, the mobile communications firm has agreed to separately invest the same amount, $15.75m, to improve its cybersecurity posture.
AT&T Agrees $13m FCC Settlement Over Cloud Data Breach
Telecoms giant AT&T will pay $13m to the FCC following an investigation by the regulator into a supply chain breach in January 2023.
In the incident, threat actors exfiltrated AT&T customer data from a vendor’s cloud environment.
The unnamed vendor was used “to generate and host personalized video content, including billing and marketing videos” for those customers, the regulator confirmed. It’s believed around nine million wireless accounts were accessed as a result.
The FCC’s investigation had tried to determine whether the telco giant had “engaged in unreasonable privacy, cybersecurity and vendor management practices” in connection with the breach.
As part of the settlement, announced in September, AT&T has agreed to strengthen its data governance and supply chain integrity practices.
New York Secures $11.3m from Insurance Firms in Data Breach Settlement
The State of New York secured an $11.3m settlement in November from two car insurance companies over the breach of sensitive data of more than 120,000 of its citizens.
The New York Attorney General and State Department of Financial Services (DFS) found that the two firms, the Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers), failed to protect customers’ personal information or comply with the DFS’s cybersecurity regulation, enabling the hackers to carry out the breach.
Some of stolen driver’s license information exposed in the GEICO breach was used to file fraudulent unemployment claims at the height of the COVID-19 pandemic.
As a result of the settlements, GEICO will pay a total of $9.75m in penalties and Travelers $1.55m to the State of New York.
In addition to the financial penalties, the firms have agreed to adopt a series of measures aimed at strengthening their cybersecurity practices.
Conclusion
The financial consequences for failing to properly protect and look after personal data is now impacting businesses in a substantial way, both in the EU and US.
Regulators will hope this approach will ensure cybersecurity and data protection becomes a bigger issue in the boardroom, ultimately translating into stronger measures being implemented to avoid these costly penalties from occurring.