Top 10 Fines and Sanctions for Cybersecurity Incidents in 2022
A data breach can be a massive headache for organizations and enterprises, as it may entail severe consequences, including decreased customer trust and substantial financial losses like recovery costs, loss of revenue and expenses due to regulatory fines for a data breach. This article highlights the biggest fines and penalties for non-compliance companies faced in 2022.
China fines Didi Global $1.2bn for breaking cybersecurity laws
China's cybersecurity regulator fined ride-hailing behemoth Didi Global 8 billion yuan ($1.18 billion) for violating multiple cyber security laws in the country, including the network security law, data security law and personal information protection law.
According to the Cyberspace Administration of China, Didi collected personal data of millions drivers and customers, including facial recognition data, personal identification numbers, home and company addresses. The watchdog said that these collecting activities seriously threatened national security and were carried out with malicious intent.
T-Mobile $350 million settlement
US mobile communications giant T-Mobile agreed to a $350 million settlement over the 2021 massive data breach that exposed personal information belonging to an estimated 76 million people. The breach exposed customer names, Social Security numbers, phone numbers, addresses and dates of birth.
In addition to cash payments to affected customers, T-Mobile agreed to invest $150 million in bolstering its data security.
$63M OPM hack settlement
The US Office of Personal Management (OPM), a federal agency that serves as human resources for federal government employees, agreed to pay $63 million over a data breach that took place almost a decade ago. In 2015, OPM disclosed that it was hit with a series of cyber intrusions believed to have been perpetrated by China-linked state-backed hackers that led to the compromise of personal data of nearly 22 million people.
A subsequent House committee investigation into the OPM hack revealed that the earliest known data breach at OPM occurred in November 2013, and that the agency’s systems had been vulnerable to hacker attacks since at least 2005. The report also pointed out that the data breach was a result of culture and leadership failures.
Morgan Stanley pays $35M SEC fine for failure to protect personal data of 15 million customers
Multinational banking giant Morgan Stanley has paid a $35 million SEC fine for its repeated failure to ensure secure replacement of company hard drives and servers, which led to the exposure of the personal data belonging to approximately 15 million customers. Over the five-year period, starting 2015, the bank improperly disposed thousands of devices containing the personally identifiable information (PII) and some equipment was resold by a third party on an internet auction site without checking that the customer data had been deleted.
Morgan Stanley had already paid out around $120 million in fines and settlements over data security lawsuits.
SolarWinds $26 million settlement
US-based IT management solutions provider SolarWinds reached a $26 million settlement with its shareholders in a class-action lawsuit filed in 2021 over the 2020 compromise and subsequent supply chain attack through the company’s software called “Orion.” The attack impacted thousands of customers, including cybersecurity firm FireEye and multiple US government agencies, such as the Department of Homeland Security and Treasury Department. The US government attributed the hack to Russian military hackers.
The settlement still needs to be approved by a court. Besides this, SolarWinds also faces possible enforcement action from the federal authorities over “cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures.”
FTC sues ed tech provider Chegg over multiple data breaches
The US Federal Trade Commission (SEC) filed a complaint against educational technology vendor Chegg over lax data security practices. Since 2017, the company has experienced four security breaches that exposed personal information for approximately 40 million customers and employees.
The FTC is demanding that the company strengthen its data security, limit the data it can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to access and delete their data.
Meta fined €17 million for data security violations
Ireland's data regulator (DPC) imposed a €17 million fine on Facebook’s parent company Meta for infringement of the General Data Protection Regulation (GDPR) rules following an inquiry into a series of 12 data breaches affecting up to 30 million Facebook users that were disclosed to the watchdog between June and December 2018. The regulator found that the company violated the mandatory provisions of the GDPR, which require organizations to implement “appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data.”
Cosmote fined €6 million over 2020 cyber-attack
Greece’s largest mobile operator Cosmote was fined €6 million by the Hellenic Data Protection Authority (HDPA) for violation of the data protection laws after a reported data breach. In 2020, the company was hit with a cyber-attack, which saw personal data of 4.8 million customers stolen.
The watchdog discovered that Cosmote failed to include its parent company, OTE Group, in the investigation, and did not implement sufficient data protection policies and procedures.
OTE Group was also fined €3.25 million for the lack of adequate security measures resulting in the leakage of subscriber call data.
Vodafone España fined €3.94 million for violation of GDPR
The Spanish data protection authority (AEPD) imposed a €3.94 million fine on Spanish mobile telecommunications operator Vodafone España for its failure to implement appropriate security measures to prevent fraudulent replication of SIM cards (SIM Swapping). It was found that security measures Vodafone put in place were insufficient, and the company did not implement an effective GDPR compliance and management model to minimize the risk of identity theft.
Dedalus Biologie fined €1.5 million for massive health data breach
French company Dedalus Biologie, a software solution provider for medical analysis laboratories, was fined €1.5 million for a 2021 data breach that exposed personal health information of nearly 500,000 individuals.
After an investigation into the breach the French data protection authority (CNIL) determined that the company failed to ensure that personal information was properly secured, which led to the massive data leak.
- Follow ImmuniWeb on Twitter and LinkedIn
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter