$6.2B+ IN REAL ENFORCEMENT ACTIONS

The compliance fines that should scare you

18 public-record enforcement actions across GDPR, HIPAA, PCI DSS, GLBA, SOX, and state privacy regimes — with the actual root cause and the specific controls that would have prevented each one. Use them as your board-deck appendix.

Run my free compliance audit Generate policies

All GDPR HIPAA PCI DSS CCPA / State GLBA / Fintech SOX / SEC

Irish Data Protection Commission (DPC) · 2023

Largest GDPR fine ever — EU→US data transfers under invalidated Privacy Shield framework

Read root cause + lessons →

Cyberspace Administration of China (CAC) · 2022

¥8.026B (~$1.2B)

Largest data-protection fine in Asia — 16 violations across PIPL, DSL, CSL

China PIPLData Security LawCybersecurity Law

Read root cause + lessons →

Amazon Europe Core

CNPD (Luxembourg) · 2021

Largest GDPR fine at the time — behavioural ad targeting without valid consent

Read root cause + lessons →

FTC + CFPB + 50 State AGs · 2017

Financial Services

Largest consumer-data settlement in US history — Apache Struts patch ignored for 76 days

GLBAFTC ActState AG

Read root cause + lessons →

Meta / Instagram

Irish DPC · 2022

Children's business-account email + phone exposed publicly

Read root cause + lessons →

Irish DPC · 2023

Children's accounts defaulted to public — GDPR Articles 5, 12, 24, 25 violations

GDPRAge-Appropriate Design

Read root cause + lessons →

OCC + class action · 2020

$80M + $190M class

Mis-configured AWS WAF → 106M records exfiltrated by a former AWS engineer

GLBABank Service Co Act

Read root cause + lessons →

FTC + state AGs + card networks · 2007

The breach that wrote PCI DSS — 94M cards stolen via insecure WEP wireless

Read root cause + lessons →

47 State AGs + class action + card networks · 2013

HVAC vendor credentials → 40M payment cards + 70M customer records

PCI DSSState AGClass Action

Read root cause + lessons →

Block / Cash App

CFPB + 48 State AGs · 2025

Failed fraud investigations + inadequate Reg E dispute handling

CFPAGLBAEFTA Reg E

Read root cause + lessons →

US SEC + class action · 2018

$35M SEC + $117.5M class

First SEC enforcement against a public company for failing to disclose a cyber breach

SEC DisclosureSecurities Act

Read root cause + lessons →

50 State AGs + DC · 2018

Paid hackers $100K to hide a 57M-record breach for over a year

State Breach Notification

Read root cause + lessons →

Hamburg DPA (Germany) · 2020

Secret employee profiling — managers logged personal details after 1:1s

GDPREmployee Monitoring

Read root cause + lessons →

British Airways

Magecart-style skimmer on payment page — 429K records exposed

Read root cause + lessons →

Marriott International

Starwood acquisition inherited a 4-year undetected breach — 339M records

Read root cause + lessons →

HHS Office for Civil Rights (OCR) · 2018

Largest HIPAA settlement in history — 78.8M records breached

Read root cause + lessons →

US Federal Trade Commission · 2023

Healthcare / Telehealth

Disclosed sensitive mental-health data to Meta / Snap ad pixels

FTC ActHIPAA-adjacentState

Read root cause + lessons →

Premera Blue Cross

HHS OCR · 2020

11M-record breach + risk-analysis + access-controls failures

Read root cause + lessons →

Find your gaps before a regulator does

Run a free 60-second compliance audit on your existing policies. ComplianceIQ scores you against every framework in this database and tells you which control gap would expose you to which enforcement pattern.

Start free audit