Lessons learned from the biggest GDPR violations of all time

Gone are the days when companies could simply implement a firewall, add privacy policies to their websites, implement basic authentication controls, and call it a day. Today, GDPR reigns supreme, and no one, not even Meta or Google, is off its radar. 

Over 247 fines have been issued in the last two years. And with the average value of fines for GDPR violations surpassing 4.4 million euros (some recent ones increasing to over a billion euros), the message is very clear—align with GDPR or face steep penalties. 

Yet, these fines leave valuable lessons for us. They reveal a spectrum of blindspots and gaps, offering clear insights into where organizations can improve and seal the cracks in data protection strategies to prevent similar violations.

With these insights in hand, let’s dive into the lessons these violations can teach us. 

TL;DR

The majority of fines escalating into the billions for companies like Meta, target major entities and their practices, such as cross-border data transfers and processing minors’ data without consent.

GDPR regulations are tightening, and even small mistakes like using checkbox content for all marketing purposes can land companies in trouble.

Companies like Cathaway Pacific faced repercussions of up to a Billion dollars due to not patching glaring vulnerabilities like outdated OS, lack of server hardening, and not encrypting their data to contain breaches.

Meta’s 1.2 billion euro fine: The cross-border data transfer debacle

Since the European court nullified the EU-US privacy shield, a mechanism that allowed US organizations to transfer data from the EU to the US via secured channels, the legality of transferring data to servers based in the US rested in gray areas. Eventually, in 2023, the Irish Data Protection Commission (DPC,) issued the decision to fine Meta 1.2 billion euros in violation of two GDPR regulations. 

1) Cross-border transfer of data

Authorities concluded that Meta had been relying on Standard Contractual Clauses to justify the legality of data transfer of EU citizens and customers to the US, despite the landmark judgment issues from the EU’s court on nullifying the mechanisms that upheld the SSCs. As a result, it was concluded that Meta potentially exposed the data of millions of EU citizens to threat actors, surveillance bodies, and others, as data privacy regulations in the US lack the vigor of GDPR. 

2) Processing children’s data without the guardian’s consent

The DPC also states that Meta failed to implement sufficient measures to not collect and process the data of children under 13 without the consent of their parents. The company was collecting such data through Facebook and Instagram, which violated the GDPR article 8 of GDPR. 

Google’s violation of GDPR’s right to be forgotten

The Swedish DPC fined Google 75 million euros for failing to comply with the right to be forgotten and concluded that Google attempted to help websites circumvent the regulation. 

The issue:

The “right to be forgotten” is a fundamental privacy right stated in GDPR article 17, which enables individuals to request the de-listing of any links that direct towards their personal data, or erase it permanently from the records. As a nature of this law, search engines like Google are also required to delist any links directed towards data of such individuals that request de-listing or deletion. In this case, Google failed to de-list links to websites that contained their personal data, resulting in the following violations:

• Non-Compliance with Delisting Requests: When requested by individuals, Google failed to act on time and remove certain links in the search result that directed users to the personal information of said users, despite being directed to do so by the Swedish DPA Authority. 

• Notification to Website Owners: When Google acted on delisting, they also notified the delisted websites, prompting republishing and relisting of the content, which legally is observed as circumventing the regulation. 

• Gaps in execution: The Swedish DPA also found that Google did not accurately assess the links and websites that needed to be de-listed. 

GDPR Articles violated:

Article 17 (Right to erasure): This article states that data subjects can request the removal, de-listing, or erasure of their personal data, and companies must abide by it without delay. 

Article 5(1)(a) (Lawfulness, fairness, and transparency):  The GDPR article also states that data should be processed under lawful, fair, and transparent circumstances. Google’s actions were not fully transparent, as they failed to inform data subjects of gaps.  

Article 5(1)(b) (Purpose Limitation): As Google notified the websites, they inadvertently used the data for the purposes it wasn’t collected, violating Article 5(1)(b) of the GDPR. 

Article 6 (Lawfulness of Processing): The Swedish DPA noted that Google did not have a lawful basis for notifying website owners when search results were delisted, thus breaching the conditions under which personal data can be lawfully processed.

Twitter’s failure to notify the breach 

In 2018, Twitter’s data breach caused the DPA of Ireland to issue a landmark decision, imposing fines totaling over $450M. 

The issue:

The breach stemmed from a bug that revealed data of users with “protected” status who changed their email address through Twitter and had their tweets exposed publicly. This bug meant that any Twitter user with a “protected” status could risk transforming their account to “unprotected” if they were using Android without their consent. 

Furthermore, Twitter reported the breach by 8th January 2019, when it was supposed to be reported by January 3rd. 

GDPR articles violated:

• Article 33(1): Article 31(1) mandates data processors, handlers, and controllers to notify the authorities or DPA within 72 hours of identifying a breach. Twitter discovered the bug on December 26th, 2018, and notified authorities by January 8th, 2019, surpassing the 72-hour deadline. The organization was held accountable for violating the GDPR norms.  

• Article 33(5): The article mandates that data controllers document personal data breaches and any facts related to such breaches. They are further mandated to document the effects and remedial action taken. The idea behind the document is to enable the authorities to gauge and verify compliance with Article(31). DPA also found Twitter’s effort to be deficient on this front. 

Cathay Pacific: A wake-up call for the industry 

Cathay Pacific was fined £500,000 on the fourth of March 2020, the maximum ICO could issue at that time. The breach of their data resulted in a catastrophic leak of 9.4 million customers that included sensitive personal information like name, age, passport number, and more, violating much of GDPR data privacy rights. 

The issue

During the investigation, it was found that Cathay Pacific’s security was deficient in a number of things, even something as basic as encryption and multi-factor authentication. Let’s understand these in detail:

1) Unpatched vulnerabilities

• In an unimaginable lapse of security measures, Cathay Pacific failed to patch a vulnerability disclosed in 2007 despite the vulnerability scanners in the system detecting it since 2014. The lapse, which lasted over a decade, allowed threat actors to infiltrate the network and exploit the vulnerability to cause catastrophic damage. 

2) Outdated operating systems

• Updating operating systems is the most routine yet effective security measure. Despite that, it was found that Cathay Pacific was relying on an outdated operating system that was not even supported by the vendor anymore, leaving critical security flaws unmitigated and their organization vulnerable to even low-complexity attacks. 

3) Weak access controls

• Strong access controls help contain an adverse event even during a breach. However, without weak implementation of such controls, attacks can quickly turn into full-fledged exploits. That’s exactly what happened with Cathaway Pacific as well. 

• Another aspect that contains the breach is access to administrative controls. These controls govern whether a small breach can turn into a catastrophe due to the escalation of privileges. In this case, the administrative console was publicly accessible, and protections weren’t adequate. 

4) Lack of risk assessments

• The company failed to conduct a timely risk assessment for its vendors and third parties, which could have mitigated the risk of public access to sensitive data. 

5) Inadequate server hardening

• Server hardening is generally a protection method to make servers more resilient to attack by isolating their ports, access points, and permissions through VPN, firewall, and physical security. Cathay Pacific let their ports and services be left open, which drastically increased their attack surface, 

6) Unprotected backup files (encryption)

• Backup files containing sensitive data were neither encrypted nor password-protected, allowing attackers to extract data easily after breaching the systems.

7) Delayed detection

• The organization couldn’t identify the breach in time, and threat actors continued to access the data over the years between 2014 and 2018, which indicated inadequate monitoring and threat detection efforts. 

8) Negligence in policy implementation

• The airline failed to enforce its own IT Asset Lifecycle Management Policy, which required replacing or updating systems reaching end-of-life.

Articles violated:

• Article 32, Security of processing: This requires the controller and the data processor to implement controls as per GDPR guidelines at an organizational level to ensure the handling of data without threatening confidentiality, integrity, or availability. 

Article 25, Data Protection by Design and by Default: This article outlines the measures that an organization needs to take to embed data protection in its operations and processes. Cathay Pacific failed to identify the breach for years, and neither had practices like encryption, or server hardening to contain the breach.

TIM S.P.A – failure to uphold data subjects’ rights

The Italian Data Protection Authority fined TIM S.P.A €27.8 million due to multiple consecutive GDPR violations revolving around the unlawful processing of data, and not respecting user content for marketing purposes.  

The issue?

The organization used the contacts in its database for marketing purposes, engaging them in unsolicited marketing calls without obtaining explicit consent. Even the users who explicitly denied consent or opted out of the public register were contacted, which breached the right to object processing. In addition, the organization also conducted competitions and mandated consent for marketing. 

Articles that were violated:

As the organization didn’t respect the consent of the data subjects and continued to process their data by unlawful means, they breached several GDPR articles in the process:

1. Articles 5 and 6 (Principles relating to the lawfulness of processing personal data): The article outlines the process of handling and processing data lawfully, fairly, and transparently. The organization failed to explicitly mention how their data would be used, violating the mandate to be transparent about it. 

2. Article 17 (Right to erasure or ‘right to be forgotten’): This Article ensures that individuals have the right to have their data erased when requested. The organization failed to take timely action to respect the asks of data subjects to erase their personal data and revoke consent by bypassing the do-not-call register. 

3. Article 21 (Right to object): This Article enables individuals to object to how their personal data is used and whether it can be used for marketing activities or not. TIM ignored this right by contacting individuals who had objected or opted out through public registers.

4. Article 32 (Security of processing): Requires appropriate security measures to protect data. TIM’s handling of data, especially in the context of data breaches and the secure management of personal information, was found lacking.

Make GDPR compliance easy and your default state with Sprinto

When looking at these instances, the message is clear — even small and seemingly harmless errors can lead to big GDPR violations. And with the DPA authorities tightening their grip over companies, the fines and penalties can see a steep rise in the coming years. 

Enter Sprinto: It makes it simpler by offering a comprehensive, ready-to-launch, out-of-the-box compliance program. This allows you to bypass the complexities, minimize chaos, and make strides toward GDPR compliance instantly. Connect sprinto with your systems to instantly start collecting evidence automatically and broach readiness with pre-mapped controls to criteria. Scope out applicable privacy laws and mandates with customizable policy templates baked in right into the platform and ensure policy enforcement with continuous control monitoring and intelligent alerts that help you curb compliance drift. Get a single dashboard to visualize what checks are failing and why and launch mitigation workflows right from the platform.  

FAQ

What are the most common types of GDPR violations?

The most frequent GDPR violations include insufficient legal basis for data processing, inadequate data protection measures, non-compliance with subject access rights, and failures in data breach notifications. Companies often struggle with maintaining the required level of transparency and documentation or fail to implement adequate security controls.

What happens if a company violates GDPR?

If a company is found to be in violation of GDPR, it can face substantial fines, which can be up to €20 million or 4% of the annual global turnover of the preceding financial year, whichever is higher. Additionally, data protection authorities can impose non-monetary penalties such as data processing bans, orders to rectify compliance issues, and public reprimands.

How can companies prevent GDPR violations?

To prevent GDPR violations, companies should ensure they have robust data protection policies in place, conduct regular data protection impact assessments, train employees on compliance requirements, and maintain clear records of data processing activities. Implementing strong IT security measures and obtaining clear, affirmative consent from data subjects when processing their personal data are also critical.