GDPR Fines Have Reach & Bite
Now that GDPR has been in effect for over a year, let's take a closer look at the fines imposed on those who failed to comply.
GDPR (aka the General Data Protection Regulations) was implemented on 25th May 2018 across Europe to help protect the personal information of individuals, those companies not complying with the regulations faced a hefty fine. Up to €10 million EUR, or 2% annual global turnover for security violations, and up to €20 million EUR, or 4% of annual global turnover for privacy violations.
Fines are determined by the board of investigation following the regulations that are laid out by the GDPR, they also depend on the severity of the breach and factors like the level of cooperation of the company involved with the authorities investigating.
A year on since GDPR rolled out there have been changes and tougher security implementations taking place within EU companies to protect personal information, there have also been some major fines imposed onto companies across Europe and beyond from data breaches that have taken place on EU citizens.
It doesn't matter where you are based, if you are collecting data from EU citizens then the GDPR will apply, as seen from a company in Canada which was handed an enforcement notice from the GDPR as they were collecting data from EU citizens but not securing themselves. Wherever in the world you are and want to collect data from the EU users, you will need to comply with the GDPR regulations or face a heavy fine.
Fines To Date
GDPR fines have global reach and a very big bite, in total fines have already reached €372,120,990 EUR to date as of September 2019, below are a selection of some of the most eye-watering fines imposed from when GDPR came into effect.
British Airways - £183 Million GBP
The biggest fine so far was for BA who was fined £183 million for a data breach that exposed almost half a million customers details. BA’s website was compromised due to weak protocols by a vulnerability in a third-party Javascript used, exploited by a hacking group called ‘Magecart’, who diverted crucial details around payments to a separate website that was controlled by them. The vulnerability was in the third-party application Modernizr which was a well-known vulnerability but BA did not update the third-part application since 2012, gross negligence by any measure.
Marriott - £99 Million GBP
Marriott was fined £99 million after a data breach where hackers stole the personal data of 383 million guests, exposed 5 million unencrypted passwords and 8 million credit cards over a 4 year period (2014 - 2018). The breach was related to Starwood's central reservation database and China's ministry of state security was accused of orchestrating the attack due to tools used linking back to Chinese agencies.
Google - €50 Million EUR
Google was fined by the French data protection watchdog CNIL, €50 million EUR for collecting personal user data without content or providing adequate transparency. a Google spokesperson responded ‘the company is deeply committed to meeting the high standards of transparency and control that people expect of it. Google made it difficult for users to find information such as data-processing purposes, data storage periods or the categories of personal data used for the ads personalization.
Sergic - €400,000 EUR
Sergic was fined €400,000 EUR investigated by the CNIL in a data breach which failed to stop users private documents being publicly accessed. Sergic’s website had a lack of authentication controls, where users were able to easily access sensitive data by changing the URL. The CNIL learned that the vulnerability exposed users identity cards, personal certificates, account statements and confidential documents.
Haga Hospital - €460,000 EUR
Haga hospital was fined €460,000 EUR for having insufficient internal security of patient records, where 197 employees accessed a dutch celebrity Samantha de Jong’s medical records, The investigation found that Haga Hospital did not have two-factor authentication implemented on any system and that log files were not monitored on a regular basis in order to identify unauthorized data access.
Centro Hospitalar Barreiro Montijo - €400,000 EUR
A Portuguese hospital was fined €400,000 EUR by the Portuguese supervisory authority CNPD for allowing staff to use false accounts to access sensitive data through their false profiles, the hospital had 985 registered doctor profiles while only having 296 doctors working at the hospital. The CNPD reported that no appropriate technical or organizational measures were in place to protect patients' sensitive data
La Liga - €250,000 EUR
The Spanish football league, La Liga was fined €250,000 EUR for spying on their users via their mobile application, using the microphone and GPS of the users phone to record their surroundings and GPS location to try and identify venues that were unofficially streaming match games. The data was then used to sue bars and venues of the illegal broadcasts of football matches. La Liga was fined by the AEPD.
Polish Data Controller - €220,000 EUR
The Polish data protection authority DPA fined a data controller company in Poland €220,000 EUR for scraping the internet for public contacts, the controller company aggregates personal data from publicly available registers such as the central register and information on economic activity (CEIDG) and the nation court register (KRS) for the purpose of providing company-verification services.
Taxa 4x35 - €160,000 EUR
Taxa 4x35 a danish taxi company was fined 1.2 million DKK equivalent to €160,000 EUR, for storing unused contact information, the company was not deleting or anonymizing data when it was no longer needed. Taxa 4x35 hoarded 9 million customer details over 5 years, which was an assortment of data that was the customer's telephone number, payment methods, GPS coordinates to name a few.
MisterTango - €61,500 EUR
MisterTango a Lithuanian payments processing company was fined by Lithuania's data protection authority for inappropriate data processing, disclosing personal data and failing to report a breach. The company suffered a data breach as its customers personal information and banking transactions become available online. A single employee was responsible for security and information management at the company, which meant the company could not implement proper data protection policies.
Conclusion
Arguments are being made that GDPR is just a way to make money, but given these large fines we have seen GDPR will definitely push companies to take security much more seriously and the effect of this will be that the public's data will become a lot safer than it previously was. Breaches will always happen but following GDPR reporting within 72 hours of a breach and cooperating with officials takes a lot of the sting out of potential fine, especially if good security was in place before the breach.
It still remains to be seen if companies internationally will see a 2-4% global turn over as a cost of doing business rather than fix fundamental security issues, the reason why harsher fines are imposed for pure negligence. But will it get to a point where companies will hide breaches or pay off criminals for ransomware attacks in order to dodge a fine if it is more cost effective to do so? Uber did it after all.