In the cyberage, personal data is easier to share than ever, but that also makes it more vulnerable to hackers who want to profit from it. In response, authorities across the world have been cracking down on data breaches. The EU’s General Data Protection Regulation (GDPR) rules allow fines of €20million ($21.9m/ £7m) or 4% of the company’s turnover, while the USA and Canada have tightened regulations, so that a serious hack can cost a company more than some disgruntled customers. From British Airways's record-breaking $230.3 million (£183.4m) fine to the supersized settlement Facebook faces following the Cambridge Analytica scandal, here are the heftiest data breach fines ever...

Healthcare organisations are among the worst offenders when it comes to putting users' data at risk. In 2012, medical insurer BCBST was fined $1.5 million (£1.15m) by the US Department of Health and Human Services' Office for Civil Rights (OCR) following the theft of 57 unencrypted hard drives in 2009. More than a million individuals had their details stolen.

The British insurance company Norwich Union, which merged with Aviva in 2009 and is now defunct, was rapped in 2007 by the Financial Services Authority (FSA) for its woefully inadequate cybersecurity that resulted in several significant frauds. Criticised by the FSA for letting down its customers, the firm was fined $1.7 million (£1.3m).

Keeping itself very busy, the OCR served Texas-based Concentra Health Services with a $1.7 million (£1.3m) fine in 2013 for failing to encrypt a laptop that was stolen in 2011. In fact, laptop thefts, specifically thefts of unencrypted machines, feature pretty heavily in this round-up.

Jackson Health System was caught in an investigation that probed its activity in 2013, and it was bad news for the company. An employee had not only accessed sensitive data, but had also sold it on to a third party. The OCR found that the health system hadn’t adequately restricted employees’ access to patient information, and a $2.15 million (£1.6m) penalty was given out for its negligence.

CVS shocked customers in 2009 when it revealed the company had thrown paperwork containing confidential records in dumpsters, unshredded and available to criminals. Following the revelation, the OCR hit the drugstore and clinic chain with a $2.3 million (£1.8m) fine for violating Health Insurance Portability and Accountability Act (HIPAA) regulations.

Staying in the healthcare sector, heart monitoring firm CardioNet fell foul of HIPAA rules and found itself in deep trouble with the OCR over a 2012 data breach that involved the theft of an unencrypted laptop packed with the personal medical information of 1,391 customers. A settlement fine of $2.5 million (£1.9m) was meted out in 2017 to the medtech company for the blunder.

Scottrade, the American brokerage firm that was absorbed into TD Ameritrade and Toronto-Dominion Bank in 2017, admitted a data breach two years prior that had affected 4.6 million customers. The Financial Industry Regulatory Authority (Finra) slammed the finance company for failing to safeguard the data and whacked it with a $2.6 million (£2m) penalty.

Back to medical organisations, Oregon Health & Science University (OHSU) was fined $2.7 million (£2.1m) by the OCR for two data breaches in 2013 that compromised the personal information of more than 7,000 patients. The first breach resulted from the theft of an unencrypted laptop and the second revealed sensitive data stored on the cloud.

Energy provider Pacific Gas and Electric (PG&E) was recently taken to task by the North American Electric Reliability Corporation (NERC) after a third-party contractor exposed the personal details of 30,000 customers online over a period of around 70 days in 2016. The fine in this case amounted to $2.7 million (£2.1m).

Not long after issuing a $2.7 million (£2.1m) fine on the Oregon Health & Science University (OHSU), the OCR went one better and imposed a penalty of $2.8 million (£2.2m) on the University of Mississippi Medical Center (UMMC). Again, the data breach concerned the theft of an unencrypted laptop, putting the data of over 10,000 patients at risk.

Healthcare providers are often the most common offenders when it comes to data breaches, and not-for-profit company Cottage Health was one of the most recent to be caught out. Severe data breaches occurred in 2013 and 2015, leaving the data of 62,500 patients vulnerable to theft. The OCR responded with a corrective action plan and a $3 million (£2.3m) fine.

In a succession of fines doled out by the OCR, Touchstone Medical Imaging was also picked up for not protecting patient data. An investigation into its data handling practices in 2014 showed that there was widespread non-compliance with HIPAA regulations, leading to the data of over 300,000 patients being compromised and a $3 million (£2.3m) slap on the wrist for the healthcare service provider.

The OCR’s third medical-based $3 million (£2.3m) fine of 2019 went to the University of Rochester Medical Center. Personal information was left unencrypted by the institution, which meant that a lost flash drive and stolen laptop were easily plundered by thieves for confidential data.

Fresenius Medical Care North America (FMCNA) was fined to the tune of $3.5 million (£2.7m) in 2018 for an eyebrow-raising five serious data breaches that occurred in 2012. The OCR concluded that the healthcare company hadn't protected its cyber assets sufficiently and was liable for the succession of breaches.

US telecoms company TerraCom and affiliate YourTel were threatened with a $10 million (£8m) penalty in 2013 after the firms, which provide low-income people with discounted phone services, inadvertently posted personal information online, including the Social Security numbers and bank account records of more than 170,000 customers. The companies were eventually stung for $3.5 million (£2.7m).

Back in 2009, HSBC was fined a total of $4 million (£3.1m) by the UK's FSA for playing fast and loose with confidential customer information. The bank was penalised for a number of breaches, from posting out floppy disks and CDs containing unencrypted data to failing to store files filled with customer data under lock and key.

Yet another medical organisation and laptop theft to boot, the University of Texas MD Anderson Cancer Center was reprimanded in 2018 for neglecting to encrypt a laptop and two portable drives that were stolen in 2012 and 2013. All in all, 33,500 patients were affected. The OCR fined the medical facility $4.3 million (£3.3m), a penalty that was upheld on appeal.

A deactivated network server was behind a data breach in 2010 at New York-Presbyterian Hospital and Columbia University that exposed the records of 6,800 patients online. The OCR took action in 2014 and the hospital and university were handed a penalty of $4.8 million (£3.7m), which at the time was the largest HIPAA fine ever imposed.

Having failed to patch up a serious security vulnerability, Ohio's Nationwide Mutual Insurance was targeted in 2012 by hackers who stole Social Security numbers, credit information and other confidential data. An investigation led to the Attorney Generals of several states chastising the company for the breach. A settlement of $5.5 million (£4.2m) was reached in 2017.

Eclipsing the record-breaking penalty imposed on New York-Presbyterian Hospital and Columbia University, Advocate Health Care was slammed with a $5.6 million (£4.3m) OCR fine in 2015 after the theft of four unencrypted computers containing confidential patient details on 14 July 2013. The massive data breach affected 4 million individuals.

Before the GDPR came into force in Europe in May 2018, the Italian Garante held the record for issuing EU's largest data breach fine. The regulatory body imposed the $6.6 million (£5.1m) penalty in 2017 on a British money services company that used customers' personal details without their knowledge to transfer money to China, potentially exposing the information to criminals.

Stanford Hospital & Clinics in California came a cropper in March 2013 when two serious data breaches compromised the data of more than a million patients. In the first breach, the confidential data of 20,000 individuals was posted online. The second breach involved the theft of two laptops, which exposed around a million records. The hospital was fined $4 million (£3.1m) for the first breach and $3 million (£2.3m) for the second.

One of Germany’s biggest DSL and mobile service providers, 1&1 Telecoms GmbH, came under fire late last year when it came to light that it had failed to put “sufficient technical and organisational measures” in place to protect customer data. Personal information was easily obtainable to anybody contacting the call centres and as a result, 1&1 Telecoms GmbH was slapped with a €9.55 million ($10.9m/£8.3m) fine.

The US Federal Trade Commission (FTC) came down hard on consumer data broker ChoicePoint in 2006 after the company admitted that the personal information of 163,000 customers had been sold to businesses that were later found to be fraudulent and exploited by criminals. ChoicePoint was ordered to pay $15 million (£11.5m) for the breach.

America's largest health insurance company found itself at the receiving end of the largest medical data breach in US history in 2015, when hackers accessed the data of 78.8 million customers. Fittingly, Anthem was hit in October 2018 with a record penalty of $16 million (£12.2m) and ordered to cough up $115 million (£88m) in a separate class-action lawsuit.

The Attorney Generals of 47 states and DC launched an investigation after retail giant Target acknowledged it was the target of a 2013 hack that affected 41 million credit card customers. The retailer didn't have a leg to stand on and a settlement of $18.5 million (£14.2m) was ultimately agreed.

The UK's Financial Conduct Authority (FCA) certainly didn't hold back when it issued its first-ever fine for a cybersecurity breach in October 2018. The regulator ordered Tesco Bank to pay $20.6 million (£15.8m) for an audacious hack back in 2016 that saw criminals access the personal information of 20,000 customers and siphon off $2.9 million (£2.2m) from their accounts.

AT&T drew the ire of America's Federal Communications Commission (FCC) in 2015 for a data breach the previous year that exposed the confidential details of 280,000 customers. Contracted call centre agents in Mexico, Colombia and the Philippines had sold on the data to unscrupulous third parties. AT&T was found at fault and the FCC slapped the telecoms titan with the biggest fine it has ever issued.

Read about AT&T's merger with Time Warner and the other biggest business mergers of all time

British Airways (BA) was in hot water in 2018 after a breach of customers' data was exposed. BA's computer systems were exposed to hackers who harvested data for two months, before the company was informed by a third party and reported it to the UK's Information Commissioner's Office (ICO). The harvested data included log-in details, payment card data and personal information, and a further investigation by the ICO found that appropriate security measures had not been in place at the time. As a result of the breach, which affected more than 400,000 customers, BA was fined £20 million ($26.5m) by the ICO.

In what turned out to be a very expensive gaffe, Comcast accidentally published the personal information of almost 75,000 customers who had paid a premium for their data to be kept private. The breach occurred over a two-year period from 2010. The US cable operator was investigated by the Californian authorities and agreed to pay a fine of $33 million (£25.3m) in 2015.

Yahoo broke records for all the wrong reasons in 2013 when it was the subject of the largest data breach in history. In total, a whopping three billion accounts and 200 million people were affected. In response, the US Securities and Exchange Commission (SEC) imposed a fine of $35 million (£26.8m) in 2018 on the web company's successor Altaba and part-owner Verizon Communications.

European regulators have been emboldened since the new GDPR came into force in 2018 and the Commission Nationale de l'Informatique et des Libertés (CNIL), France's data watchdog, is no exception. The regulatory body penalised Google for breaching data protection laws and fined the search engine a painful $56.4 million (£43.2m). Google made it too difficult for users to find understandable information on its data use policies, CNIL said.

Now read about the scariest online hacks and scams of 2019

While France's data regulator has been dishing out enormous fines, its counterpart in the UK has been even more zealous. Most recently Britain's Information Commissioner’s Office (ICO) announced that it is in the process of imposing a $124.4 million (£95.2m) fine on American hotel chain Marriott for a 2014 data breach that involved the personal details of 383 million customers.

After attempting a cover-up, in 2018 Uber acknowledged that its systems were infiltrated in 2016 by hackers who accessed the data of 57 million customers and drivers. Incredibly, the ride-hailing app paid the criminals $100,000 (£76.5k) to get them to delete the information. US regulators were far from impressed. The company was taken to court by the federal government together with 50 states and ordered to pay penalties amounting to $148 million (£113.2m).

Hackers had a field day in September 2014 when they bypassed Home Depot's feeble cybersecurity and scooped up the credit card details of 56 million customers. The US authorities have come down like a tonne of bricks on the retailer and although the fines have yet to be confirmed as settled, the estimation was that Home Depot would end up forking out around $179 million (£137m) in fines.

In 2017, credit reporting agency Equifax announced that it had exposed the personal information of 147 million people. The mistake led to the a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPC) and 50 states, of at least $575 million (£401.7m), which could reach up to $700 million (£536m). This will compensate those impacted by fraud or theft as a result of the leaks. 

But there is one breach that tops the rest by a mile. In 2019 the US Federal Trade Commission (FTC) approved a staggering $5 billion (£3.8bn) fine on Facebook to settle the infamous Cambridge Analytica scandal, which compromised the data of 87 million users. The penalty is by far the biggest ever imposed on a company for a major data breach.

Now read about governments who have challenged the world's biggest companies