I found this article on the BBC interesting. It lists the 5 largest fines so far under the EU's GDPR regulations.

Some of the offences are the kind of thing I had expected; others are rather shocking. In summary:

1. Google (€50m) in 2019, for failure to make its statements about its consumer data processing policy easily accessible to its users, and for not seeking the consent of its users to use customers' data for targeted advertising campaigns.
2. H&M (€35.3m) in 2020 for secretly monitoring hundreds of its employees.
3. Tim - Telecom Italia (€27.8m) because customers received a large number of unwanted (nuisance) promotional calls.
4. British Airways (£20m) (the most shocking of the list) in 2020 directed its website users to a fraudulent site, allowing hackers to to harvest the personal data of about 400,000 people (the leaked data included login and travel booking details, names, addresses and credit card information).
5. Marriott International Hotels (£18.4m) (also shocking) suffered a hack dating back to 2014, but not uncovered until four years later, exposing the personal details of about 300 million customers, including credit card information, passport numbers and dates of birth.

What this tells us is that companies are unable to protect the data of their customers, and that legislation like GDPR that limit the data collected and held, and puts requirements for data security on those companies regarding handling and storage are very much needed.

There is only one type of organisation that has proven to be less secure than even commercial companies in handling and storing data about us: government agencies.