Record of major corporate data breaches and, above all, of how each company responded. It does not measure only how many records were exposed: it measures the notification conduct —whether the company notified affected people and the regulator on time, delayed, or concealed it— and the outcome (settlement, fine, class action). That is the gap that matters for due diligence: two companies can suffer a similar incident and behave in opposite ways, and that defines reputational and legal risk. Each record documents the company, the number of affected people, the data type, the notification conduct and the outcome, with its source.
Statistical readings derived from the attributes of each recorded case. All figures come from the documented events; amounts are computed only over cases with a sum expressed in the indicated currency, without converting between currencies.
When a company suffers a data breach, the number of affected people grabs the headline. But for due diligence something else matters more: how it behaved. Did it notify affected people and the regulator on time, take months, or conceal it? Two companies with similar incidents can respond in opposite ways, and that defines the real risk. This tracker measures conduct, not just damage.
Data breaches are almost always counted by their size: 131 million affected at Marriott, 147 at Equifax. That figure is real and serious, but it is also the least informative part for whoever must assess a company's risk. Because suffering an incident, in a world of constant cyberattacks, can happen to anyone. What distinguishes one company from another is not having been attacked, but how it responded. This tracker is built around that second question.
That is why the central field is not the number of affected people, but the notification conduct: whether the company notified affected people and the regulator on time, delayed, or outright concealed it. These are categories with very different legal consequences. Notifying late aggravates the sanction in almost every framework; concealing a breach can turn a technical incident into a case of directors' personal liability, as the scrutiny of Clearview AI illustrates.
Of the seven documented breaches, only one company notified on time. Three notified late, two are in dispute over their conduct and one concealed the incident. The outcome splits between regulator fines and out-of-court settlements —and they should not be confused: a settlement, like 23andMe's, usually closes without admission of guilt, while a final fine does declare the violation.
For a CISO, a cyber-risk insurer, a law firm or a compliance team assessing a vendor or an acquisition target, this tracker answers the question that really matters: how does this company behave when things go wrong? A company that notified on time and cooperated with the regulator is a very different risk from one that concealed the incident for months, even if the number of exposed records is identical. The conduct record is predictive in a way the incident's size is not.
Equifax's case also shows the long tail of these events: the 2017 breach still generates obligations that appear as a risk factor in its SEC filings almost a decade later. A breach does not close when the fine is paid; it leaves a mark on the company's governance that the tracker lets you follow over time. That traceability —company, conduct, outcome, date— is exactly what turns a succession of headlines into an intelligence asset.
Germany's federal data-protection commissioner fined Vodafone GmbH a combined €45 million in 2025: €30 million for security flaws in the MeinVodafone portal authentication enabling unauthorized access to eSIM profiles, and €15 million for failing to properly oversee third-party agency contracts.
The FCC fined Verizon $46.9 million in April 2024, as part of a joint action against major carriers for sharing customer location data without adequate consent. The case illustrates the location-privacy regulatory front in the US.
In August 2024, the Dutch data-protection authority fined Uber €290 million for transferring sensitive European driver data to the United States without adequate safeguards. It is one of the year's largest data-protection fines.
Marriott reached a $52 million settlement with all 50 US states in 2024 over a multi-year data breach affecting more than 131 million users of its Starwood reservation database. The allegations included failure to comply with consumer-protection laws and data-security standards.
The 2017 Equifax breach exposed credit and identity data of around 147 million people. The subsequent settlement with the FTC and states reached up to $700 million. The company remains subject to obligations from that settlement, which still appear as a risk factor in its SEC filings years later.
In September 2024, the Dutch authority fined Clearview AI €30.5 million for building an illegal facial-recognition database by scraping billions of images from the internet without consent. Beyond the fine, the Dutch DPA is considering holding directors personally accountable and foresees additional payments if violations continue.
Genetic-testing company 23andMe reached a $30 million settlement in 2024 after a class action over a breach that exposed customers' ancestry data. The compromised accounts were not protected by multi-factor authentication and attackers are believed to have used reused credentials. 23andMe denied wrongdoing in the settlement.
Each record documents a corporate data breach with its company, sector, number of records or affected people (as declared or alleged in the settlement), type of compromised data, notification conduct and outcome. The notification conduct is classified into verifiable categories —notified on time, notified late, concealed/covered up, in dispute— based on what the regulator or settlement found, attributed to its source. The amount is the settlement or fine where one exists; a distinction is drawn between settlement (no admission of guilt) and final fine. No unpublished figures are imputed. Coverage prioritizes cases with public resolution (settlement, fine or judgment) for their due-diligence value.