GDPR examples of data breaches

Mar 20, 2025

The General Data Protection Regulation (GDPR) is one of the most stringent data protection laws in the world, designed to safeguard the privacy and security of individuals’ personal data. Since its enforcement in May 2018, numerous organizations have faced fines and penalties due to non-compliance, often resulting from data breaches. In this article, we will examine two significant GDPR-related data breaches, the consequences faced by the organizations involved, and the lessons that businesses can learn to prevent similar incidents.

Example 1: British Airways Data Breach (2018)

Background

British Airways, one of the world’s largest airlines, suffered a major data breach in 2018. Cybercriminals compromised its website and mobile application, allowing unauthorized access to customer data. The breach was particularly severe, affecting approximately 400,000 customers over a period of several months before being detected.

How the Breach Happened

The attackers used a technique known as Magecart attack, a form of digital skimming where hackers inject malicious code into a website to steal payment details. The breach stemmed from vulnerabilities in British Airways’ digital infrastructure, which enabled attackers to divert customer data to a fraudulent website.

What Data Was Exposed?

  • Full names
  • Billing addresses
  • Email addresses
  • Credit card numbers (including CVV codes)
  • Travel booking details

Consequences and Penalties

The UK Information Commissioner’s Office (ICO), responsible for enforcing GDPR compliance, investigated the breach and imposed a £20 million fine on British Airways in 2020. Initially, the fine was expected to be £183 million, but it was significantly reduced due to the airline’s cooperation and the financial impact of the COVID-19 pandemic.

The ICO cited the following reasons for the fine:

  1. Lack of adequate security measures: British Airways failed to implement appropriate technical and organizational measures to prevent unauthorized access.
  2. Late detection and response: The breach remained undetected for more than two months, exposing sensitive customer information.
  3. Failure to notify customers promptly: British Airways did not act swiftly to inform affected customers, delaying mitigation efforts.

Lessons Learned

  • Enhance cybersecurity infrastructure: Businesses must invest in robust cybersecurity measures, including regular security audits and penetration testing.
  • Monitor for suspicious activities: Continuous monitoring and real-time threat detection can help prevent similar attacks.
  • Act swiftly in case of a breach: Prompt response and transparent communication with customers can minimize reputational damage and legal consequences.

Example 2: Marriott International Data Breach (2018)

Background

Marriott International, one of the largest hotel chains in the world, experienced a devastating data breach that impacted 339 million guests. The breach was traced back to its Starwood reservation system, which had been compromised since 2014, long before Marriott acquired Starwood in 2016.

How the Breach Happened

The breach resulted from unauthorized access to the Starwood database, which contained reservation records. Hackers had successfully infiltrated the system using stolen login credentials and malware, allowing them to remain undetected for years.

What Data Was Exposed?

  • Guest names
  • Passport numbers (5.25 million unencrypted)
  • Email addresses
  • Phone numbers
  • Payment card details (encrypted but potentially accessible)
  • Reservation details, including check-in and check-out dates

Consequences and Penalties

Marriott faced severe consequences due to the sheer scale and duration of the breach. The UK ICO fined Marriott £18.4 million under GDPR for failing to ensure proper security measures when acquiring Starwood’s database. Additionally, the company faced multiple lawsuits and regulatory actions across different jurisdictions.

Key reasons for the penalty:

  1. Failure to conduct due diligence: Marriott failed to detect vulnerabilities in Starwood’s system before acquisition.
  2. Weak security controls: The lack of proper encryption and access management contributed to the prolonged exposure.
  3. Delayed detection: The breach had been ongoing for four years before it was finally discovered in 2018.

Lessons Learned

  • Due diligence during mergers and acquisitions: Companies acquiring another business must thoroughly assess cybersecurity risks associated with the target entity.
  • Implement strong encryption measures: Sensitive customer data should always be encrypted to prevent unauthorized access.
  • Regular security audits: Businesses should conduct continuous security assessments to identify and address vulnerabilities before they are exploited.

Example 3: Google France Data Breach (2019)

Background

In January 2019, the French Data Protection Authority (CNIL) imposed a massive €50 million fine on Google for GDPR violations. This was one of the first high-profile enforcement actions under GDPR, setting a precedent for how regulators handle non-compliance.

How the Breach Happened

Unlike traditional data breaches where hackers steal information, Google’s violation was centered around a lack of transparency and user control over personal data. CNIL determined that Google failed to provide clear and concise information on how user data was processed for personalized advertising.

Key issues included:

  • Insufficient transparency: Users were not given straightforward details about how their data was being collected and used.
  • Lack of proper consent mechanisms: Google did not obtain valid consent for processing personal data, particularly for targeted advertising.
  • Fragmented information: Critical details regarding data processing were scattered across multiple documents, making it difficult for users to access a clear overview of how their information was handled.

What Data Was Affected?

  • Personal identifiers (name, email, phone number)
  • Location history
  • Browsing behavior
  • Preferences used for targeted advertising

Consequences and Penalties

Google was fined €50 million, one of the highest penalties at that time under GDPR. CNIL justified the fine by stating that Google’s approach violated fundamental GDPR principles, including:

  1. Lack of transparency and accessibility: Users were misled about data usage.
  2. Failure to obtain explicit consent: Pre-ticked boxes were used instead of an active opt-in mechanism.
  3. Non-compliance with GDPR’s core requirements: Companies must make data processing information easily accessible and comprehensible.

Lessons Learned

  • Ensure full transparency: Businesses must clearly communicate how personal data is processed and provide users with simple, accessible information.
  • Obtain explicit consent: GDPR mandates opt-in rather than opt-out mechanisms for data processing.
  • Simplify data access for users: Avoid burying key data policies within multiple layers of documentation.

Example 4: H&M Employee Data Breach (2020)

Background

In 2020, H&M, the multinational clothing retailer, faced one of the largest GDPR fines for illegally collecting and storing employee data at its customer service center in Nuremberg, Germany. The breach was particularly serious because it involved internal surveillance rather than an external cyberattack.

How the Breach Happened

H&M’s management was found to have systematically recorded highly sensitive personal information about employees without their knowledge. The company collected data through:

  • One-on-one meetings with employees: Supervisors secretly took notes about personal issues such as illnesses, family problems, and religious beliefs.
  • Unauthorized employee profiling: The collected data was used to make employment decisions, including performance reviews and promotions.
  • Lack of data protection policies: There were no strict safeguards in place to prevent misuse of employees’ personal information.

This intrusive data collection came to light when an internal IT error made the sensitive information accessible to all employees for a short period.

What Data Was Exposed?

  • Health records and medical conditions
  • Religious beliefs
  • Personal family matters
  • Employment performance assessments

Consequences and Penalties

The Hamburg Data Protection Authority imposed a €35.3 million fine on H&M for violating GDPR’s data protection principles. Key reasons for the penalty included:

  1. Unlawful data collection: Employees were monitored without consent.
  2. Violation of privacy rights: The company mishandled personal and sensitive information.
  3. Failure to implement security measures: H&M did not have adequate policies to prevent internal misuse of data.

Lessons Learned

  • Respect employee privacy: Companies must be transparent about data collection practices and only gather information that is legally required.
  • Limit access to sensitive data: Strict access control measures should be implemented to prevent unauthorized handling of employee information.
  • Regular internal audits: Businesses must frequently review data security policies to ensure compliance with GDPR and avoid illegal surveillance practices.

Conclusion

The British Airways and Marriott data breaches serve as stark reminders of the importance of robust data security measures and strict compliance with GDPR regulations. Both cases resulted in significant financial penalties, reputational damage, and loss of customer trust. Organizations handling personal data must implement proactive security strategies, conduct regular risk assessments, and respond swiftly to potential threats to ensure compliance and safeguard customer information.

By learning from these examples, businesses can avoid similar pitfalls and uphold the highest standards of data protection, ensuring compliance with GDPR and other global data privacy regulations.