Capital One recently suffered a data breach resulting from poor security practices that exposed 100 million credit card applications and accounts. They expect the breach to cost the company $150 million. Two years back, Equifax lost 140 million identities, again from poor security practices. At the time, I said that according to GDPR this should cost them $150 million. They have since settled for about $600 million -- though some of that seems to be in-kind services coverage like free credit monitoring (lol!). Separately, Facebook has settled for a $5 billion fine associated with the Cambridge Analytica privacy "breach".