Top 10 highest fines paid for non-compliance in 2026
15 Jun 2026
Non-compliance remains one of the biggest back-of-the-mind worries for business owners. However, despite prioritizing compliance, organizations struggle to identify and bridge compliance gaps.
Modern threat actors use this compliance pressure to carry out triple extortion attacks, threatening to publish the data and targeting third parties in addition to encrypting data.
In 2026, threats have rapidly improved their speed, undetectability, and damage they can inflict, and regulators have become stricter about their data security and privacy expectations from organizations. It has put organizations in a tight spot to manage security and compliance.
Through our blog, we will be looking at some of the highest fines that organizations have paid for non-compliance, along with a closer look at the violation they were fined for.
Top 10 highest fines paid for non-compliance in 2026
1. $409 Million – Coupang – Personal Information Protection Act (PIPA), South Korea
Date fined – June 11th, 2026
Regulator – PIPC (South Korea)
Original amount – ~ ₩624.7 Billion
Violation summary
Largest privacy fine in South Korean history. Former employee stole a security key and accessed 33M+ customer records. Coupang failed to detect the breach within the 72-hour legal window and unlawfully collected online activity data from ~11M users.
Regulators cited “inadequate basic safety management,” not sophisticated hacking. Coupang plans to appeal.
2. $75-80 Million – Canaccord Genuity – Bank Secrecy Act (BSA); SEC and FINRA compliance rules
Date fined – Q1 2026
Regulator – BSA AML
Original amount – USD (native)
Violation summary
Coordinated multi-agency penalty for Bank Secrecy Act violations spanning 13 years. FINRA had documented failures in 2014, 2017, and 2018 with no remediation. $5M suspended pending a suspicious activity lookback review.
3. ~$48.4 Million – Free Mobile / Free (Iliad) – EU General Data Protection Regulation (GDPR)
Date fined – Jan 13, 2026
Regulator – CNIL (France)
Original amount – €42M (€1 = $1.153)
Violation summary
2024 cyberattack exposed data of 24M subscribers including IBANs. CNIL cited weak VPN authentication, no anomaly detection, excessive retention of former subscribers’ data, and poor breach notification. Free Mobile fined €27M; Free fined €15M.
4. ~$36.7 Million – Intesa Sanpaolo – EU General Data Protection Regulation (GDPR)
Date fined – Mar 30, 2026
Regulator – Garante per la Protezione dei Dati Personali (Italy)
Original amount – €31.8M (€1 = $1.153)
Violation summary
Single employee accessed private financial records of 3,573 customers — including public figures — over 2+ years. Bank failed to detect access or notify affected customers as required under GDPR Articles 33 and 34.
5. ~$20.3 Million – Intesa Sanpaolo – EU General Data Protection Regulation (GDPR)
Date fined – Mar 12, 2026
Regulator – Garante per la Protezione dei Dati Personali (Italy)
Original amount – €17.6M (€1 = $1.153)
Violation summary
Unlawfully profiled ~2.4M customers to decide which accounts to migrate to digital-only subsidiary Isybank, without valid legal basis or adequate transparency. Profiling notice buried in a summer app update.
6. ~$18.7 Million – Reddit – UK GDPR; Children’s Code (Age Appropriate Design Code)
Date fined – Q1 2026
Regulator – ICO (UK)
Original amount – £14M (£1 = $1.333)
Violation summary
Failed to protect children on the platform. Did not complete a required children’s risk assessment before introducing new age checks in mid-2025, and had previously relied solely on self-declared age. Reddit plans to appeal.
7. $12.75 Million – General Motors/OnStar – California Consumer Privacy Act (CCPA), California Unfair Competition Law & California False Advertising Law
Date fined – May 8, 2026
Regulator – CA AG + CalPrivacy (US)
Original amount – £14M (£1 = $1.333)
Violation summary –
Illegally sold precise geolocation and driving behavior data from OnStar subscribers to data brokers without consent. Largest CCPA fine ever and California’s first data minimization enforcement action.
8. $2.75 Million – Disney – California Consumer Privacy Act (CCPA)
Date fined – Feb 2026
Regulator – CA AG (US)
Original amount – £14M (£1 = $1.333)
Violation summary –
Failed to honour consumer opt-out requests across Disney+, Hulu, and ESPN+. Gaps in opt-out mechanisms allowed continued sale and sharing of user data despite stated controls.
9. ~$7 Million – Binance Australia Derivatives – Australian Financial Services Law & Corporations Act 2001
Date fined – Feb 2026
Regulator – ASIC (Australia)
Original amount – AUD $10M (AUD $1 = $0.699)
Violation summary –
Misclassified 524 retail customers as sophisticated investors, stripping them of key consumer protections. Investigation originated in 2022.
10. $373,703 – Ford Motor Company – California Consumer Privacy Act (CCPA)
Date fined – Mar 2026
Regulator – CalPrivacy (US)
Original amount – AUD $10M (AUD $1 = $0.699)
Violation summary –
Connected vehicle opt-out violations. Part of CalPrivacy’s sustained automotive industry enforcement sweep alongside Honda and GM.
How SharkStriker helps you be secure and compliant?
If you are a business owner who is troubled with managing multiple vendors or having a limited team/expertise/resources for achieving security and compliance management needs, SharkStriker’s compliance management service is for you.
Through a single service, you get the people, the expertise, the technology, and ultimately the confidence you need to not just ace audits but also have a good night’s sleep knowing that your progress, hard work, and people are secured round the clock from modern threats.
To learn more about our compliance management services: Avail 360 degree compliance fulfillment with compliance consultants – SharkStriker
To connect over a short call with our team: Get in touch with our experts for more details on pricing and solutions – SharkStriker
Wrapping it up
We have seen some of the biggest cases of non-compliance in 2026. Watch this space as we keep updating our list of highest fines paid for non-compliance in 2026.
