Research: The largest corporate fines in 2024 so far

We are just a few months into 2024 and two major corporations have already been slapped with fines of over one billion US dollars. While it is encouraging to see companies facing severe consequences for breaking the law, it does make one wonder what breaches justify such hefty penalties.

Almost every day there is a new case of corporate wrongdoing — from bribery and financial fraud to data protection breaches and deceptive marketing practices. Given the frequency of these misconducts, it isn’t easy to track which corporation has done what. Yet, the team at Tradingpedia decided to give it a try.

We took on the task of finding which companies have been dished out the biggest fines in 2024 so far and why, scouring through enforcement data from various federal regulatory agencies. After a careful examination of multiple criminal cases, civil actions, and settlements, reported in enforcement records and press releases from January 2024 to April 2024, we came up with the following ranking:

The Companies Hit with the Largest Fines Since January 2024

In addition, we estimated the average daily revenue for the companies on the list using their annual revenue from the fiscal year ending December 31, 2023, unless noted otherwise. This allowed us to check how long it would take each company to pay off all fines incurred since January 2024.

Our calculations revealed that eight out of the fifteen companies, for which information was available, could settle all of their fines for the year so far with less than a day’s revenue. Notably, the tech giant Amazon, which earned $1,574,753,425 per day in 2023, more than any other company we looked at, could clear its $34.7M fine within just 32 minutes of operation. Meanwhile, City National Bank would require the longest time to cover its $65M fine, totaling 100 days, 2 hours and 13 minutes.

Cummins – $2B

Since the beginning of 2024, Indiana-based engine manufacturing leader Cummins has paid a whopping $2 billion in civil fines and other related costs to regulatory bodies for breaching vehicle emission control regulations under the Clean Air Act.

An extensive investigation by the U.S. Department of Justice (DOJ), the Environmental Protection Agency (EPA), and the California Air Resources Board found that Cummins had installed illegal software defeat devices on 630,000 pickup trucks. These devices helped vehicles pass standard emission tests but reduced the effectiveness of the emission controls during real-world driving conditions. As a result, the trucks emitted nitrogen oxides, a key component of smog and fine particle pollution, at much higher levels than emission standards allow, exposing communities across the U.S. to harmful air pollution. Additionally, those vehicles and approximately 330,000 more had auxiliary emission control devices Cumins did not disclose as part of the engine certification process.

After paying a record $1.675 billion civil penalty – the largest ever assessed in a Clean Air Act case, which is also the second-largest environmental penalty overall – Cummins, without admitting any wrongdoing, agreed to fund federal and California emission mitigation projects and the recall program for the affected vehicles at an estimated cost of over $326 million. As per the settlement terms reached on January 10, 2024, Cummins must repair at least 85% of the trucks within three years. Failure to meet this target will result in additional penalties.

Apple – $1.953B

On March 4th, the European Commission hit U.S. tech giant Apple with a $1.953 billion (€1.8B) fine for violating competition laws related to music streaming.

The Commission began investigating Apple in 2020, prompted by a complaint from Spotify, a leading music streaming service provider. The EU’s antitrust authority found that Apple had obstructed music streaming app developers from informing iPhone and iPad users about alternative, more cost-effective music subscription services outside the App Store and from providing instructions about subscribing to such offers.

The Commission said the size of the fine reflects Apple’s global revenues and the harm the company’s actions, which went on for nearly a decade, inflicted on millions of European consumers. According to the EU regulator, iOS users might have paid more for streaming subscriptions because of the tech giant’s 30% commission fee on all in-app transactions.

In response, Apple announced that it plans to appeal the penalty. “While we respect the European Commission, the facts simply don’t support this decision.” the company added.

Gunvor – $661.7M

Switzerland-based commodities trading company Gunvor S.A. has pleaded guilty and agreed to pay over $661 million to resolve U.S. and Swiss investigations into its participation in a nearly decade-long bribery scheme.

Authorities said that between 2012 and 2020, Gunvor and its co-conspirators paid more than $97 million to intermediaries, knowing some of the cash would be used to bribe officials at Ecuador’s Ministry of Hydrocarbons and the state-owned oil company Petroecuador. These bribes were allegedly made to secure contracts for the purchase of oil products. According to the DOJ, Gunvor earned over $384 million in contract profits.

The oil trader pleaded guilty to the charges at a hearing in federal court in Brooklyn, New York, and was sentenced to pay a criminal monetary penalty of $374,560,071 and to forfeit $287,138,444 in unlawfully obtained gains. Given the company’s cooperation and remedial efforts, Gunvor will receive credit for amounts paid to Switzerland and Ecuador authorities.

Endo International – $464.9M

Endo Health Solutions Inc., an affiliate of Ireland-based Endo International, has agreed to pay the U.S. government $464.9 million to settle criminal and civil charges related to its sales and marketing practices of the opioid drug Opana ER, as reported by the U.S. Justice Department.

The opioid manufacturer, which is already dealing with bankruptcy, has confessed to distributing misbranded drugs across the United States, thereby breaching the Federal Food, Drug and Cosmetic Act and contributing to the opioid pandemic. Endo voluntarily withdrew the drug from the market in 2017. Under the settlement terms reached on February 29th, 2024, Endo Health Solutions Inc. will pay the U.S. government $464.9 million over ten years. This settlement resolves all of the government’s monetary claims arising from the criminal and civil settlements, as well as additional tax and healthcare-related claims.

JPMorgan Chase & Co. – $366.2M

On January 16th, JPMorgan Chase & Co’s subsidiary J.P. Morgan Securities LLC agreed to pay a $18 million civil penalty to settle charges by the U.S. Securities and Exchange Commission (SEC). The government agency accused JPMorgan of preventing hundreds of advisory clients and brokerage customers, to whom the bank had issued a credit or settlement over $1,000, from reporting potential wrongdoings to regulators. It did this by asking customers to sign confidential release agreements. From 2020 through July 2023, at least 362 JPMorgan clients have signed such releases, receiving an amount ranging from approximately $1,000 to $165,000, according to the SEC.

Furthermore, on March 14th, the Office of the Comptroller of the Currency (OCC) levied a 250M penalty on JPMorgan Chase Bank, N.A., while the Federal Reserve Board added a 98.2M million fine. The charges stem from an inadequate program to monitor firm and client trading activities for market misconduct between 2014 and 2023. The regulators also require JPMorgan Chase to review and take corrective action to address the company’s inadequate monitoring practices, resulting in failures to properly monitor billions of trades across at least 30 global trading venues. The bank has agreed to pay the penalties, neither admitting or denying the accusations.

Google – $271.3M

France’s competition regulator announced on March 20th it has slapped Google with a $271.3 million (€250M) fine for breaking EU intellectual property laws.

The tech giant was found to have breached four out of seven commitments made in June 2022, including failing to negotiate with media publishers in good faith on how much compensation they would receive for the use of their content. Additionally, Google didn’t inform news publishers that it was utilizing their articles to train its A.I. chatbot Bard, now known as Gemini. The company also didn’t provide a way for publishers to opt out, blocking them from possibly negotiating fair payment for the use of their content.

While Google deemed the fine disproportionate to the issues raised by the authority, it agreed to settle the penalty, stating, “We have compromised because it is time to turn the page.” The company has also proposed a series of corrective measures to address certain breaches identified by the regulator.

Morgan Stanley – $268.1M

In 2024 so far, the investment bank and financial services giant Morgan Stanley has paid $268.1M million to end criminal and civil investigations related to its handling of large stock trades for customers and municipal securities violations.

On January 12, the SEC charged Morgan Stanley & Co. LLC and the former head of its equity syndicate desk, Pawan Passi, of engaging in a multi-year fraud involving the disclosure of confidential information about the sale of large quantities of stock known as “block trades”. Morgan Stanley has been ordered to pay $138,297,046 in disgorgement, $28,057,775 in prejudgment interest, and an $83 million civil penalty. However, the disgorgement and interest were deemed partially satisfied by the forfeiture and restitution the company paid in a parallel criminal settlement with the DOJ. Meanwhile, Passi faced a civil penalty amounting to $250,000 and a one-year ban from the securities industry.

In parallel action, Morgan Stanley & Co. entered into a non-prosecution agreement with the U.S. Attorney’s Office in the Southern District of New York, agreeing to a payment of $153.4M for making false statements concerning the sale of block trades from 2018 through August 2021.

Moreover, on February 15th, the Financial Industry Regulatory Authority fined the company’s wealth and asset management division, Morgan Stanley Smith Barney LLC, $1.6 million for not closing out 239 inter-dealer municipal transactions aged over 20 calendar days after the settlement date with a total value of approximately $9 million from December 2016 through August 2021.

SAP SE – $235.7M

German-based software company SAP SE has agreed to pay over $235 million to settle bribery charges following investigations conducted by the Justice Department and the SEC.

The DOJ accused the software giant of violating the Foreign Corrupt Practices Act by bribing government officials in Indonesia and South Africa. These bribes, which included cash payments, political contributions, electronic transfers, and the purchase of luxury items during shopping excursions, were aimed at securing business deals. As part of the three-year deferred prosecution agreement reached on January 10th, SAP will pay a $118.8 million criminal penalty and forfeit $103,396,765, with $85 million being satisfied through disgorgement as ordered by the SEC.

“SAP has accepted responsibility for corrupt practices that hurt honest businesses engaging in global commerce,” said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia.

In a parallel criminal case, the SEC investigated similar alleged bribery schemes in Azerbaijan, Ghana, Kenya, Malawi, Tanzania, Indonesia, and South Africa. According to the Commission, SAP employed third-party intermediaries and consultants to pay the bribes starting in at least 2014. To settle the SEC’s charges, the company agreed to monetary sanctions of $98,451,184 in disgorgement and prejudgment.

Blue Moon Investments Inc. – $204.6M

The U.S. District Court for the Western District of Texas ruled against Jonathan Cartu, Leeav Peretz, Nati Peretz, and their company Blue Moon Investments Inc., for operating a fraudulent binary options scheme, announced the Commodity Futures Trading Commission on March 14th.

The Seychelles-based corporation, along with its owners, believed to be from Israel, were found guilty of offering illegal binary options and defrauding investors. They went as far as manipulating trade outcomes to ensure customer losses, thus illegally profiting over $51.1 million from U.S. investors. The case, which dates back to September 2020, concluded with the court imposing a severe penalty on the defendants, totaling $204.6M in disgorgement and civil fines. The court’s order also permanently bans the defendants from registering with the Commodity Futures Trading Commission and trading on any registered entity in the future.

Trafigura Beheer B.V. – $127M

The international commodities trading company Trafigura Beheer B.V. with its primary operations in Switzerland has agreed to nearly 127 million, after pleading guilty in the Southern District of Florida to a bribery scheme, reported the DOJ on March 28th.

The Justice Department found that between 2003 and 2014, the company had been paying bribes to Brazilian government officials to secure business with Brazil’s state-owned and state-controlled oil company, Petróleo Brasileiro S.A. – Petrobras. According to the Justice Department’s Criminal Division, the commodity trader reaped over $61 million in profits.

Under the plea agreement, the commodity trader will pay a criminal fine of $80,488,040 and forfeiture of $46,510,257. For its cooperation with the department’s investigation and affirmative acceptance of responsibility, Trafigura will be credited up to $26,829,346 of the criminal fine against amounts paid to resolve an investigation by law enforcement authorities in Brazil for related conduct.

City National Bank – $65M

On January 31st, the OCC announced that the Royal Bank of Canada’s American unit, City National Bank, has been handed a $65 million civil penalty for failing to maintain proper risk management and internal controls.

On top of the $65 penalty, which is to be paid to the U.S. Treasury, the OCC has also ordered the Los Angeles-based bank to take corrective actions to improve its strategic plan, operational risk and compliance risk management, which includes anti-money laundering and fair lending strategies as well as internal controls.

“City National, and our new executive management team, are committed to resolving the matters identified in the OCC’s order as quickly as possible. Our focus will continue to be on both strengthening our infrastructure and systems to reflect a bank of our size and business model, while at the same time providing our clients with consistently outstanding banking products and services,” City National’s chief communications officer, Diana Rodriguez, said in a statement.

Empires Consulting Corp. – $64.3M

On March 15th, the Commodity Futures Trading Commission announced that the U. S. District Court for the Southern District of Florida ordered the Empires Consulting Corp., a Florida commodity pool operator, to pay $64.3M for a fraudulent scheme.

The Empires Consulting defrauded participants in unlawfully operated commodity pools under the name EmpiresX, without being registered as required, commingled participant funds and obtained approximately $100 million. The order requires Empires Consulting to pay $32,178,397 in restitution and a civil penalty of the same amount, a total of $64,356,794. The order also permanently prohibits Empires Consulting from engaging in further violations of the Commodity Exchange Act and the Commodity Futures Trading Commission regulations.

Linde Inc. – $59М

Under an agreement approved by the Federal Energy Regulatory Commission on January 4th, the chemical company Linde Inc. will pay $59 million to settle charges it manipulated the Midcontinent Independent System Operator’s (MISO) demand response program, with the Northern Indiana Public Service Company (NIPSCO) acting as the market participant.

While both Linde Inc. and NIPSCO fully cooperated with the Commission’s enforcement office, they neither admitted nor denied the alleged violations. Linde Inc. has agreed to disgorge the $48.5 million received through the demand response program and pay the U.S. Treasury a civil penalty of $10.5 million. Additionally, Linde Inc. will provide training to its staff and promptly notify the Enforcement and the MISO Market Monitor if it engages in similar programs in the future. NIPSCO has assured that the $7.7 million earned from Linde’s participation in the program will be refunded to the customers.

Boeing Co – $51М

On February 29th, the Boeing Company reached a $51M settlement with the U.S. Department of State in response to its unauthorized technical data exports to employees and contractors in foreign countries, including China.

The aerospace manufacturer voluntarily disclosed all 199 violations of the Arms Export Control Act, the majority of which occurred before 2020. Boeing has implemented numerous enhancements to its compliance program since the incidents. As part of the agreement, Boeing will pay a civil penalty of $51 million, $24 million of which will be used to strengthen the aerospace company’s compliance program further. In addition, for at least 24 months, the Department of State will provide an external compliance officer to oversee Boeing to ensure that the company is adhering to the consent.

U.S. Bancorp – $49.7М

At the end of 2023, the Consumer Financial Protection Bureau (CFPB) imposed a fine of nearly $21 million on U.S. Bank, a subsidiary of U.S. Bancorp, for blocking out-of-work consumers from accessing unemployment benefits during the peak of the COVID-19 pandemic. The CFPB said the bank froze tens of thousands of accounts due to anti-fraud controls and failed to provide a reliable and quick way for customers to regain access to their unemployment funds. The order required the U.S. Bank to pay $5.7 million to the consumers whose accounts were frozen, as well as a $15 million penalty. The OCC issued a separate $15 million fine on the bank.

On February 9th, the SEC levied fines totaling over $81 million on 16 financial companies, including units of U.S. Bank, for recordkeeping failures after employees used unapproved communication channels and did not save the messages. Financial firms are required to monitor and save communications involving their business in case the Commission suspects wrongdoing and kicks off an investigation. U.S. Bancorp Investments Inc. agreed to pay an $8 million penalty. About a month later, the Commodity Futures Trading Commission ordered the bank to pay a civil monetary penalty of $6 million for similar allegations.

Dollar Tree Inc. – $41.8M

On February 26th, Family Dollar Stores LLC was ordered to pay a record fine after pleading guilty in a federal court in Little Rock to holding food, drugs, medical devices, and cosmetics under unsanitary conditions at a rodent-infested warehouse in Arkansas.

The retailer, a subsidiary of Dollar Tree, admitted that, despite encountering mouse and pest issues with store deliveries starting in August 2020, it continued to ship unsafe and unsanitary items from the warehouse until January 2022. It was only during a federal inspection that live, dead, and decaying rodents were discovered in the facility. Products from the rodent-infested distribution center had been shipped to a total of 404 stores across Alabama, Missouri, Mississippi, Louisiana, Arkansas, and Tennessee. As part of a plea agreement, Family Dollar agreed to pay $41.675 million, marking the largest-ever monetary criminal penalty in a food safety case to date.

In addition, The Occupational Safety and Health Administration has issued two fines against Dollar Tree since the beginning of 2024, totaling $113,300, for exposing workers to safety hazards. According to a press release by the parent company, approximately 600 Family Dollar Stores will close in the U.S. in the first half of fiscal 2024.

Amazon – $34.7M

Amazon France Logistique, responsible for managing the company’s warehouses in the country, has been slapped with a hefty $34.7 million fine by a French regulator. This is the only GDPR-related fine on the list.

The French Data Protection Authority (CNIL) found that the tech giant’s French company gave its warehouse employees scanners that recorded and stored their periods of inactivity and how quickly they performed certain tasks, such as removing items from shelves and packing. The French regulator ruled it illegal to set up a system measuring work interruptions with such accuracy, potentially requiring employees to justify every break or interruption. The system for whether a worker scanned an item less than 1.25 seconds after scanning the previous one was described as “excessively intrusive,” including the company’s policy of keeping data and statistical indicators on employees for 31 days, even in light of the “high performance targets” at the business. The CNIL also found employees and external visitors were not adequately informed about the video surveillance software, which was also not sufficiently secured.

“We strongly disagree with the CNIL’s conclusions which are factually incorrect and we reserve the right to file an appeal,” Amazon said in a statement.

Day Pacer LLC – $28.7M

On January 31, the U.S. Federal Trade Commission (FTC) reported that an Illinois federal court has issued final orders against the telemarketing company Day Pacer LLC, which formerly did business as Edutrek L.L.C., for bombarding millions of job seekers with illegal calls.

In September 2023, the Northern District Court of Illinois ruled in favor of the FTC’s case against the company, which bought consumers’ contact information claiming to help people find jobs, but instead illegally called those consumers to market unsolicited vocational or post-secondary education services. The court also found that the defendants paid other telemarketing companies to make approximately 40 million calls to people registered on the National Do Not Call Registry, ignoring repeated consumer complaints and warnings from business partners.

On January 23, the court deemed it appropriate to impose a $28.7 million civil fine on the corporate defendants and a permanent ban from participating or assisting others in telemarketing.

Restoro Cyprus Limited, Reimage Cyprus Limited – $26M

The FTC has fined two tech support companies $26 million for tricking customers into spending tens of millions of dollars on unnecessary computer repair services.

According to the Commission, Restoro Cyprus Limited and Reimage Cyprus Limited, both based in Cyprus, deceived customers, particularly older ones, into purchasing its online software – at prices ranging from $27 to $58 – to rid their computers of alleged viruses and serious issues found by the company’s so-called performance and security scan. After purchasing the software, people were told to call a software activation number, in which sales agents urged them to buy more services for hundreds of dollars for the fix.

The companies, who have been operating the scheme since at least 2018, have been ordered to pay $26M million in restitution to the consumers who fell for the scheme. The order also prohibits them from engaging in any deceptive telemarketing or misrepresentations regarding computer security or performance issues.

Lordstown Motors Corp. – $25.7M

On February 29th, bankrupt electric vehicle manufacturer Lordstown Motors Corp. agreed to pay $25.5 million to settle SEC charges for deceiving investors.

According to the SEC, the automaker misled investors about the sales prospects of its Endurance electric pickup truck and misrepresented how quickly it could deliver the trucks. Without admitting or denying the SEC’s findings, the company agreed on a $25.5 million fine, which will be deemed satisfied through payments Lordstown plans to make to settle two class-action lawsuits.

Furthermore, under the agreement filed with the U.S. District Court for the District of Columbia, Stephen Burns, former Chairman and CEO of Lordstown Motors Corp., was ordered to pay a civil fine of $175,000 and was prohibited from serving as an officer or director of a publicly traded company for two years.

The company recently came out of Chapter 11 bankruptcy and is now operating under the name Nu Ride Inc.

The Individuals Slapped with the Largest Fines in 2024 so far

On February 16th, a Manhattan Supreme Court Judge ordered Donald Trump to pay approximately $454 million, marking the largest penalty imposed on a person on this list. The judge found the former president guilty of engaging in years of financial fraud. He falsely inflated the value of his assets to illegally boost his net worth and enrich himself, his family, and his organization. In addition to being required to forfeit $354 million in ill-gotten gains and $100 million in pre-judgment interest that accrues daily until paid, Donald Trump is prohibited from serving as an officer or director of any New York company and from applying for loans from any New York bank or financial institution for three years. The former president denied all wrongdoing and decided to appeal the fraud case, facing possible bankruptcy or the seizure of his assets if he failed.

Bulgarian national Irina Dilkinska is next on the ranking. She was sentenced to four years in prison for her role in a $4 billion crypto Ponzi scheme. In 2014, Ruja Ignatova, known as the Cryptoqueen, and Karl Sebastian Greenwood co-founded OneCoin, a company based in Sofia, Bulgaria, that marketed and sold a fraudulent cryptocurrency by the same name through a global multi-level marketing network. Dilkinska, the former head of legal and compliance for OneCoin, assisted in running the company’s operations, which shut down in early 2017, and pleaded guilty to committing money laundering and wire fraud. In addition to the four-year sentence, Dilkinska was also ordered to forfeit $111,440,000.

Joseph Carvajales, a resident of Florida and an employee of The W Group, is facing the third-largest penalty on this list for his involvement in a fraudulent scheme. Carvajales deceived customers into investing in commodity futures, forex, and options, falsely promising high returns through a trading algorithm. The U.S. Commodity Futures Trading Commission started legal proceedings against the Forex trader on February 7, 2022, which ended with an order by The U.S. District Court for the Southern District of Florida on March 20th, requiring Carvajales to pay $2.4 million in restitution to victims and a $1 million civil penalty. Additionally, he faces permanent bans on trading and registration and is prohibited from violating the Commodity Exchange Act and Commodity Futures Trading Commission regulations in the future.

On March 12th, the SEC charged former board member of Tallgrass Energy LP Roy Cook and four other individuals with insider trading. According to the SEC’s complaint, Roy Cook learned in late July 2019 that Blackstone Infrastructure Partners had offered to acquire all Tallgrass shares that it didn’t already own and gave that confidential information to four friends, who all bought the company’s stock ahead of the offer. The five defendants, including Cook, agreed to pay $2.2 million in fines and forfeiture of illegal profits, the fourth-largest penalty on our ranking.

In a deal subject to court approval, Brian Sewell and his company, Rockwell Capital Management, settled fraud charges about a scheme that targeted students taking the crypto coach’s online crypto trading course known as the American Bitcoin Academy. The SEC alleges that Sewell defrauded 15 students of a combined $1.2 million. Without admitting or denying the allegations, the defendants agreed to pay disgorgement and prejudgment interest totaling $1,602,089 and a civil penalty of $223,229.

The SEC issued another penalty, this time against former Arista Networks, Inc. chairman Andy Bechtolsheim. To settle the allegations that he benefited from insider trading during Cisco System’s multi-billion-dollar offer for Acacia Communications in 2019, Bechtolsheim, who neither admitted nor denied the claims, agreed to pay a civil penalty of $923,740. The SEC will also prohibit Bechtolsheim from serving as an officer or director of a public company for five years.

The U.S. Department of Labor’s Wage and Hour Division recovered $540,202 in back wages and damages for 367 workers. This comes after Portland-based restaurant chain Pizzicato, its owners Mark and Tracy Frankel, and the company officer John-Felix Rippel, illegally allowed managers to participate in tip pools, pocketing a portion of employees’ earned tips. They also hired a 17-year-old minor to drive a motor vehicle. The court ordered the defendants to pay an additional $29,797 in penalties.

Hood Canal property owners Joan Bayley, her son, Philip Bayley, and Big D’s Beach Cabin LLC of Union, have been sentenced to pay a $250,000 penalty for illegal bulkhead replacement work that caused the death of endangered Chinook salmon. According to the EPA, they must also pay $33,492 to the Hood Canal Coordinating Council as mitigation.

The Public Company Accounting Oversight Board has barred two partners, Marcelo de los Santos Anaya and Martín Rodríguez Martínez, and fined them a total of $165,000 for their roles in two consolidated audits in 2018 and 2019 of Grupo Simec, S.A.B. de C.V. In another case the OCC has assessed a civil money penalty of $150,000 against Thomas Lopp, the former president of Michigan-based Sterling Bank and Trust, FSB., for inadequate oversight.

The Companies Facing the Largest GDPR Fines Imposed Since the Beginning of 2024

You’ve surely heard about companies that have been fined millions for failing to comply with GDPR.

The General Data Protection Regulation is a privacy law in the European Union that requires companies to protect the personal data and privacy of individuals within the EU and the European Economic Area. It also regulates the transfer of such data outside these areas. The law became effective in 2018, and since then, many companies have faced multimillion-dollar fines for non-compliance. GDPR fines vary based on the severity of the violation; they can reach up to €20 million or 4% of the company’s annual global revenue from the preceding financial year, whichever amount is higher.

In May 2023, Ireland’s Data Protection Commission issued the largest GDPR fine to date, totaling $1.2 billion. The record-breaking fine was imposed on Facebook owner Meta after it transferred European Facebook user data to the United States without sufficient protection from Washington’s intelligence agencies.

Eager to find the top GDPR offenders and lawbreakers as of this year so far, our team crawled through the GDPR Enforcement Tracker. It provides an overview of reported fines and penalties EU data protection authorities have imposed to date. We only gathered fines levied since the beginning of 2024 and ranked the companies based on how much they have been ordered to pay.

We found that GDPR fines in 2024 have already broken the million euro mark with violations involving unauthorized access to customer personal data and the collection of employee data. While we are already familiar with Amazon’s French subsidiary, the company featuring the largest GDPR fine this year yet, the remaining part of the list showcases companies that have just made their way into the ranking.

After a cyberattack on its mobile banking portal, during which the attackers gained access to numerous data of thousands of customers, UniCredit S.p.A., an international banking group headquartered in Milan, was slapped with a $3,038,560 (€2.8 million) fine by the Italian Data Protection Authority (DPA). In another case, the Finnish online retailer Verkkokauppa.com was ordered to pay $928,931 (€856,000) because they required customers to create an account to make an online purchase and didn’t specify the retention period of their account data.

NTT Data Italia S.P.A, part of the Japanese multinational NTT DATA, a main world consulting and IT service player was hit with a $868,160 (€800,000) penalty by the Italian Garante in relation to the fine imposed on UniCredit mentioned above. The bank had contracted NTT to conduct vulnerability analyses and penetration tests; the consulting company not only failed to notify UniCredit of a data breach on time but also contracted another company to carry out the assessments without authorisation.

After an employee filed a complaint against Randstad NV’s subsidiary CTC Externalizacion SL, the Spanish DPA handed the company a $396,098 (€800,000) fine. As it turns out, the firm had taken its workers’ fingerprints to implement an attendance system and stored them in the staff portal, without informing the people in question. Furthermore, the Poland-headquartered Santander Bank Polska S.A., owned by the Spanish bank Santander Group, has been fined $353,775 (€326,000) by the Polish DPA after it failed to report a data breach on time.

In another case, an Italian unit of medical device maker Medtronic plc has been ordered to pay $325,560 (€300,000) to the Italian DPA. The fine stems from the company’s sending emails in an open distribution list to hundreds of individuals using its app to measure their blood glucose levels. As a result, all recipients’ email addresses became visible to one another, which revealed whether the people concerned had diabetes.

Vodafone España, S.A.U., a subsidiary of UK-based global communications provider Vodafone Group, saw two fines from the Spanish Data Protection Authority, totaling $325,560 (€300,000) due to insufficient legal basis for data processing. Following a person’s complaint, the Spanish DPA sanctioned another major telecommunication company, Orange España, owned by Orange S.A. of France. The mobile network operator had given a duplicate of the individual’s SIM card to an unauthorized fraudulent third party. This gave the fraudsters access to the person’s bank account.

Last on our list is Black Tiger Belgium, part of the French software company Black Tiger Group. It suffered a $189,519 (€174,640) fine imposed by the Belgian DPA following a complaint from an individual. The complaint alleged that the software publisher failed to properly comply with the individual’s request to exercise their right of access.

The Most Fined Companies in the World and the Largest Individual Monetary Penalties to Date

The team at Tradingpedia also turned to Violation Tracker, the first wide-ranging database on corporate misconduct, and compiled lists of the 20 most fined companies to date as well as the 20 largest monterey penalties since 2000.

The Bank of America stands as the company which has been fined the most over the last two decades. It has paid a total of $87.3 billion across 328 individual fines, primarily stemming from violations related to investor and consumer protection Following closely is another financial giant, JPMorgan Chase, which has been forced to pay $39.3 billion over the years as part of 275 fines. BP (formerly known as British Petroleum) ranks third, having paid $36.5 billion across 409 individual fines. Apparently, the most fined businesses are mainly in the financial and pharmaceutical sectors.

BP emerges as the company with the largest individual monetary penalty since 2000. It has paid $20.8 billion in fines to resolve legal actions related to the 2010 Gulf of Mexico oil spill brought by the US and several states. The Bank of America features the second-biggest single fine, totaling $16.7 billion. This fine was part of a settlement with the Department of Justice concerning the sale of toxic mortgage-backed securities and other financial products leading up to the financial crisis. Additionally, Bank of America dominates the list of largest individual monetary penalties, with a total of 5 fines among the top 20. In third place is Volkswagen, having paid $14.7 billion for cheating emissions tests and deceiving customers.

Methodology