Top 10 Highest fines paid for non-compliance [2024 edition] 

Home » Blog » Top 10 Highest fines paid for non-compliance [2024 edition] 

Top 10 Highest fines paid for non-compliance [2024 edition] 

The rising threat of data breaches, ransomware, and other cyberattacks that target personal information has made regulators and global bodies more serious about compliance.  

Regulatory and global bodies for data protection are after organizations that think they can get away with non-compliance.

Here are some of the biggest fines organizations have paid to date for non-compliance. Before we hop on to some of the highest fines ever paid, here is a brief about compliance and why it’s one of the heated board discussions today.

Non-Compliance: a rising threat 

Industry 4.0 is on the rise but with it are cyber threats who keep evolving their techniques to counter the digital defenses and target the most precious information assets.  

In response to the rising cyber threats and increasing risk of data breaches that businesses are exposed to, regulators are strengthening compliances like the General Data Protection Regulation by the EU, the Health Insurance Portability and Accountability Act, and the guidelines by the National Institute of Standards and Technology

Increased businesses are under the threat of non-compliance in a world with constantly evolving cyber threats and an ever-changing regulatory environment. They are under pressure from both cybersecurity and compliance to implement the latest recommended best practices. 

Fines for GDPR non-compliance  

Meta Platforms Inc, Ireland (May 2023) 

Fines/Penalties paid: $1296 million or 1.2 billion  

Reason: Non-compliance with general data processing principles 

Amazon, Luxembourg (July 2021) 

Fines/Penalties paid: $887 million  

Reason: Violation of general data protection rules by misusing public data from competing with other businesses in France and Germany 

Meta & Instagram, Europe, Ireland (2023,2022) 

Fines/Penalties paid: $413 million & $403 million 


  • Violation of GDPR guidelines in delivery of Facebook and Instagram services in Europe (2023) 
  • Violation of Children’s privacy rules under GDPR, Ireland (2022) 

Facebook (2023)  

Fines/Penalties paid: $286 million 

Reason: Violation of GDPR protect data from cyber-attack of 500 million users

Fines for HIPAA non-compliance  

Premera Blue Cross (2020) 

Fines/Penalties paid – $ 6,850,000 


  • Failure to adhere with risk assessment and management guidelines,  
  • failure to produce sufficient hardware and software controls.  
  • Data exposure of 10.4 million people.  

Essex Residential Care (2024)

Fines/Penalties paid: $100,000 

Reason: Failure in ensuring timely access to medical records as per compliance guidelines 

Fines for the non-compliance of SEC

The Intercontinental Exchange (2024)  

Fines/Penalties paid: $10 million 

Reason: Non-compliance with the SEC guidelines: failure to report incident 

T-Mobile (2021) 

Fines/Penalties paid: $ 350 million 

Reason: Non-compliance with SCE guidelines noncompliance – 2021- T mobile 

Fines for the violation of PCI DSS compliance 

Equifax (2017) 

Fines/Penalties paid: $425 million  

Reason: Violation of PCI standards and other standards by FTC (Federal Trade Commission) that led to exposure of data of 45% of US citizens 

British Airways (2017) 

Fines/Penalties paid: $6 million 

Reason: Exposure of data of 500000 customers in a data breach 

How can compliance challenges be addressed? 

Businesses often struggle with having a limited team due to the widening skills gap. Over 3.5 million positions are unfilled in cybersecurity, as per the World Economic Forum in 2023. Due to the skills gap, they find it challenging to address compliance and cybersecurity-specific bottlenecks.  

SharkStriker solves these challenges with a team that cannot just help them boost their security posture with the industry best practices, making them compliant as per the applicable regional and global compliance.  They identify gaps in security and compliance and help them implement recommended measures, policies, and controls

SharkStriker’s compliance management services include the following aspects: 

Risk assessment: We conduct a comprehensive risk assessment of their IT infrastructure. It includes all their systems connected to the network and their cloud & IoT ecosystems.  We do so using offensive techniques used by real-world attackers. 

Gap assessment: We assess the security posture for gaps against the recommended guidelines in regulatory and global standards. 

Risk Treatment Plan: We prepare a detailed report comprising all the policies, procedures, and measures, including the people process and technology required to treat risks across the posture. We specify the controls that are to be implemented to address all the security and compliance-specific risks.  

Implementation: In the next step, we implement the risk treatment plan with the right people, process, and technology as planned. We ensure that every aspect of the plan is covered. 

Post implementation Audit: Once the risk treatment plan is implemented, we assess the posture once again for gaps in implementation. We address the gaps with the recommended set of measures. 

Training and awareness: Since human error remains one of the top factors contributing to non-compliance and security risks, we create training programs to address the awareness gaps across different levels in the organization regarding compliance and the common cybersecurity risks and best practices.  


Identify and bridge
compliance gaps with SharkStriker

Explore More >

Latest Post