Thanks to the trail-blazing GDPR, data protection regulations cover most of the planet today. They’re largely designed to uphold the privacy rights of citizens, while placing new responsibilities on the organizations that handle their personally identifiable information (PII). Yet despite having issued over $6bn in GDPR fines since 2018, Europe’s regulators, and their peers around the world, are busier than ever.
Fines and settlements are not the only mechanism they can use to drive compliance, but they tend to make headlines. Both the resulting reputational risk to a brand, and the immediate financial hit to a breached organization, should help to focus boards on improving their cybersecurity posture. That’s the idea anyway, even if in practice, this doesn’t always happen.
The Top 10 Data Breach Fines of 2025
Over the past year, a third (32%) of global organizations have been fined by regulators for data breach-related infractions, according to IBM. Those in the US paid the highest fines, which, helped to make the country the most expensive globally in which to suffer a data breach ($10.2m versus $4.4m average).
Here are the biggest fines and breach-related settlements of 2025.
TikTok Hit with $600m Fine for China Data Transfers
In May, the Irish data protection watchdog slapped TikTok with a €530m ($600m) GDPR fine for transferring the PII of European citizens to servers in China. Although the social media giant had assured the regulator that it didn’t store any European users’ data in China, in February it was found that TikTok’s statement to this effect was incorrect. Worse, TikTok’s own assessment of Chinese law apparently revealed that it doesn’t provide the same protection of personal data as the GDPR.
The Irish regulator said TikTok had failed to properly assess this level of protection, which meant it was unable to deploy appropriate safeguards. However, the social giant is lodging a full appeal.
Vodafone Germany Gets $52m Fine for GDPR Offenses
In June, Vodafone GmbH was fined by Germany’s federal commissioner for data protection and freedom of information violations in two separate offenses.
The first (€15m, $17m) was issued because the firm had failed to properly oversee contracts drawn up by third-party agencies. Some of these contracts were subsequently ruled to have caused financial harm to customers. The bigger fine (€30m, $35m) was for “security deficiencies in the authentication process” for customers using the MyVodafone online portal and the customer hotline. This enabled unauthorized access to customer eSIM profiles, the regulator said.
The telco has paid the full fine, remediated its systems and terminated its dealings with the non-compliant agencies.
Outsourcing Giant Capita Chooses Not to Appeal $18m Penalty
The UK’s Information Commissioner’s Office (ICO) hit Capita with a £14m fine in October for failings that led to a massive 2023 ransomware breach. The incident impacted nearly seven million end customers, including members of 600 pension funds that were affected. The ICO pointed to a series of security errors at the outsourcer. These included: failure to prevent privilege escalation and unauthorized lateral movement; failure to respond rapidly to security alerts; and inadequate pen testing and risk assessments.
Capita will not appeal the penalty, which was reduced from an initial £45m ($59m).
Poland’s Postal Service Suffers Multimillion Euro “Envelope Election” Loss
Poland's data protection authority (UODO) fined state-run postal administration, Poczta Polska, 27 million PLN ($7.4m) after it breached the GDPR in 2020. The case relates to national elections in 2020 that were held solely via mail due to the pandemic. The UODO ruled that the country’s Ministry of Digital Affairs (which was fined 100,000 PLN) broke the law by providing PII on all eligible voters in the country to Poczta Polska. The postal administration infringed the GDPR by processing it.
The leaked information included names, addresses and national ID (PESEL) numbers.
Italian Regulator Orders Chatbot Maker Replika to Pay $5.8m
Italy’s Data Protection Authority (Garante) demanded a €5m ($5.8m) fine from US AI firm Luka after claiming that it broke several GDPR rules. Garante said the firm collected and processed PII and behavioral information without obtaining proper consent, and that Luka’s privacy notices were too opaque. The regulator added that the AI firm, which makes the Replika chatbot, did not have any age verification measures in place. That means children under 13 could access the platform.
A separate investigation into legality of its data training and processing operations is ongoing.
Polish Regulator Issues ING Bank $5.1m GDPR Fine
Poland’s UODO imposed a €4.4m ($5.1m) fine on ING Bank Śląski S.A. for unlawfully processing personal data. The bank is said to have scanned customer and prospective customers’ identity documents without checking whether this was justified under the EU’s Act on Counteracting Money Laundering and Financing of Terrorism (AML Act).
It found that the bank violated GDPR Articles 5(1)(c) and 6(1), which demand that data processing is always lawful and limited only to what is necessary – a key tenet of data minimization.
McDonald’s Under Fire in Poland
In another big case in Poland, the UODO hit McDonald’s Polska Sp with a €3.9m ($4.5m) fine after it failed to prevent a breach of employee data. A misconfigured server accidentally leaked information on employees and franchise workers, including PESEL numbers, passport numbers and shift details.
The breach itself was the fault of the processor, 24/7 Communication, but McDonald’s as the controller should have ensured the appropriate technical and organizational measures were in place. Additionally, neither controller nor processor carried out a proper risk analysis, the UOD found.
NHS Supplier Advanced Gets $4.1m Fine After Major Ransomware Outage
Advanced Computer Software Group escaped with a £3.1m ($4.1m) following a 2022 ransomware breach that caused significant disruption to client the NHS. The SaaS firm was lucky not to be fined the original sum of £6m ($8m), which the ICO had published last year. The attack led to exfiltration of PII on nearly 83,000 people was exfiltrated, including phone numbers and medical records, and details on how to gain physical entry to the homes of 890 people who were receiving care. But the bigger issue was the long-term outage that the breach cost, and its impact on essential services supported by Advanced, like the NHS 111 medical advice line.
It’s believed that a LockBit affiliate was able to access Advanced’s IT systems by hijacking an account that didn’t have MFA enabled and then launching a Remote Desktop Protocol (RDP) session. The ICO also pointed to failings with Advanced’s patch and vulnerability management programs.
ICO Fines 23andMe $3.1m After 2023 Cyber-Attack
Genetic testing firm 23andMe is required to pay the ICO £2.3m ($3.1m) for failing to protect customers’ special category data in 2023. Hackers managed to compromise an initial set of accounts through credential stuffing. But they were then able to scrape data from additional users who had registered with the DNA Relatives feature. Compromised information belonging to around seven million customers globally included names, birth years, city or postcode, profile images, race, ethnicity, family trees and health reports.
The ICO said 23andMe failed to put in place adequate threat monitoring and response tools, or secure authentication and verification processes for customer logins – including mandatory multi-factor authentication (MFA).
Allium UPI Breach Lands Firm with Multimillion-Dollar Penalty
Estonia’s Data Protection Inspectorate fined Allium UPI OÜ €3m ($3.5m) after a data breach in 2024 which compromised the PII of 750,000 individuals. Sensitive information including health-related purchases and contact details were stolen from the Apotheka loyalty program managed by Allium. The firm was apparently failed to implement even basic cyber hygiene measures, such as MFA, continuous monitoring, and properly secured database backups.
Conclusion
The GDPR may be seven years old now, but regulators seem more prepared than ever to impose major financial penalties for continued infractions. Security and compliance teams should take note.