WatchGuard Blog

Numerous points of entry lead to multi-million euro penalties for data security breaches

Data security breaches are now among the most common serious incidents affecting businesses. In this respect, 2019 was a bad year for companies. It was a year that saw some of the highest penalties imposed for violating data protection regulations, with examples such as the 50 million euro fine on Google LLC for non-compliance with GDPR transparency rules and the absence of a valid legal basis for processing personal data for advertising purposes. British Airways was also hit with a 183 million pound fine by the UK Information Commissioner's Office (ICO) in connection with a data breach that occurred in September 2018. Adversaries managed to steal the personal information of some half a million BA customers, data which included their names, credit card numbers and CVV codes, and email addresses. Article 32 of the new regulatory framework requires companies to implement the technical and organizational measures needed to ensure data security.

There have been some high-profile failures to comply with the legislation by several major organizations which have led to heavy fines from national authorities. Such fines may amount to as much as 20 million euros or 4 percent of a company's annual revenue.

Neither, however, are smaller companies exempt. In Poland, a company was fined 220,000 euros for gathering data from companies and individuals without their express consent. And, in November 2018, authorities in the German state of Baden-Wurtemberg sanctioned an unnamed social media provider with a fine of 20,000 euros. The German press suggested that the firm in question was Knuddels, an online chat service which suffered a cyberattack exposing 808,000 email addresses and 1,872,000 usernames and passwords.

According to Enforcement Tracker, the penalties imposed by European data protection agencies totaled around 600 million euros since the GDPR came into force. And these are not all just from last year. In early October 2020, fashion retailer H&M became the second company in Europe to receive a fine of over 35 million euros. This time, however, in the view of the Hamburg data protection authority, the Swedish company was proved to have unlawfully obtained extensive records regarding the private lives of employees at one of their centers in Nuremberg, dating back at least as far as 2014.

Exemplary sanctions ranked

According to a recently published study by Finbold and after analyzing the fines and sanctions imposed by data protection authorities in the EU between January and August 2020, Spain is the country with the highest number of penalties, with a total value of 1,952,810 euros. Though if other are factors are considered, such as the total value of all fines in a single country, the Netherlands (2,080,000 euros) and Sweden (7,031,800 euros) would both outstrip Spain, as well as Italy, with a staggering total of 45,609,000 euros in penalties so far this year.

And this is not just happening in Europe. A similar scenario can be seen across the Atlantic, where, for example, US insurance firm Anthem recently acknowledged the payment of a US$39.5 million fine imposed as a result of a security breach in 2015. This incident affected the personal and healthcare data of 80 million Americans. This penalty comes on top of the US$115 million that the company had paid out in 2017 as compensation to customers for these security failures.

Various points of entry, various cybersecurity solutions

Data security breaches are sadly an all too common reality in the business world. Such incidents translate into serious financial consequences for non-compliance with the GDPR, not only thanks to the fines, but also because of the serious impact on a company's reputation and the effect on its results. Given that a data breach can occur through any of the numerous points of entry to a corporate network, it is essential to have the most advanced and appropriate protection for each situation.

Thanks to the visibility afforded by Panda Adaptive Defense 360 and its capacity to prevent and detect threats, and deliver the means required for an immediate response, organizations will be protected from hackers and zero-day or advanced attacks that can culminate in a data security breach. In addition, its add-on module Panda Data Control reveals and audits all unstructured personal data on company endpoints. It generates real-time reports and alerts of unauthorized data usage to prevent leaks, which supports the implementation of proactive controls over access and operation. Additionally, if you are concerned about critical vulnerabilities, which are currently on the rise, you can now reduce your attack surface across Windows servers and workstations with Panda Patch Management.

Given this background, it is vital for businesses to understand the importance of having an advanced cybersecurity solution, monitoring data within your organization, and patching the systems and applications you use. All the IT & endpoint security operations products and modules you need are available from WatchGuard.