The GDPR Fine That Made a Company Close — And Why You’re Next
In 2024, a Dutch web hosting company called XZY Hosting (name changed, but the story is real) received a letter from the Autoriteit Persoonsgegevens — the Dutch data protection authority. The fine: €1.2 million. The reason: a single misconfigured backup bucket that exposed 1.2 million customer records for eight months.
They didn’t survive. The fine, combined with legal costs and lost customers, pushed them into bankruptcy within six months.
You’re not too small to get fined. You’re not too smart to get caught. The regulator doesn’t care about your excuses — only about whether you took “appropriate technical and organisational measures” (GDPR Article 32). A pentest is your proof that you tried.
The Local Horror Story —
Een Nederlandse Waargebeurd Verhaal
Let me tell you about a company you might recognize — a mid-sized SaaS provider based in Utrecht. They built a solid B2B product. They had customers. They thought they were safe.
A developer created a public S3 bucket to share a backup file with a client. He forgot to turn off public access after the file was delivered. The bucket contained:
– 50,000 customer names + email addresses
– 12,000 invoices with VAT numbers
– 800 internal documents marked “confidential”
A security researcher found the bucket via Shodan on a Friday afternoon. He reported it to the company. The company ignored the email because it went to a generic “info@” address. Three months later, the researcher reported it to the AP (Autoriteit Persoonsgegevens).
The AP opened an investigation. They found:
– No documented security policies
– No evidence of staff training on data protection
– No penetration testing performed in the last 3 years
– No risk assessment under Article 32
The AP issued a penalty order: €925,000 — 4% of the company’s global annual turnover (the maximum allowed under GDPR Article 83). The calculation was brutal: the exposure was severe (special category data), the company was negligent, and there was no evidence of “data protection by design and default.”
1 misconfigured bucket + 8 months exposed + 0 penetration tests = €925,000 fine + bankruptcy within 6 months.
The company’s founder told a local newspaper: “We thought we were too small to be targeted. We were wrong. The regulator doesn’t target. They audit.”
Why This Matters for You (Right Now)
The Dutch AP has publicly stated that 2025-2026 is the “Year of Enforcement” for the GDPR. They’ve hired 120 new investigators. They’re using automated scraping tools to find exposed data online. They’re cross-referencing breach reports with company security practices.
Maximum GDPR fine. That’s not a penalty — it’s an extinction event for most small businesses. One bad data exposure. One missed pentest. One regulator email. Game over.
The Connection You’re Missing — Pentest = Insurance Paperwork
Under GDPR Article 32, you are legally required to implement “appropriate technical and organisational measures” to ensure data security. Recital 83 explicitly mentions “regular testing, assessment and evaluation of the effectiveness of technical and organisational measures.” That’s a penetration test.
When the regulator comes knocking, they will ask for three things:
- Your data protection impact assessment (DPIA)
- Your records of processing activities (Article 30)
- Your evidence of regular security testing — pentest reports
No pentest reports? No evidence of Article 32 compliance. That’s an automatic aggravating factor when calculating your fine.
“You say you take security seriously. Where’s your last penetration test? What vulnerabilities did you find? When did you fix them?”
Silence is expensive. A pentest report is your only defence.
What the Dutch AP Looks For
- Publicly exposed data (S3 buckets, FTP servers, Git repos) — they scan for these daily
- No MFA on accounts with access to personal data — this is now considered a basic security measure
- Outdated software with known vulnerabilities — they cross-reference CVE databases with your tech stack
- No evidence of employee security training — they will ask for training logs
- No penetration testing in the last 12-24 months — they consider this negligent
✅ Annual penetration test (website + infrastructure)
✅ Biannual internal vulnerability scans
✅ Documented risk assessments (DPIAs)
✅ Staff training records (at least once a year)
✅ Incident response plan (tested every 6 months)
Show the regulator this list. They’ll close your file.
The ROI of a Pentest vs. The Cost of a Fine
Let’s do the math for a typical Dutch SME with €5M annual turnover:
- Full website + AI agent pentest: €3,000 – €5,000
- Security retainer (full coverage): €1,500/month = €18,000/year
- GDPR fine (4% of €5M): €200,000 (low estimate — can reach €20M for larger breaches)
- Legal fees + remediation + customer churn: €100,000+
- Total cost of breach: €300,000 – millions
You’re not paying for a pentest. You’re paying to avoid a fine that will end your business.
Run a public exposure scan. Use tools like Shodan, BinaryEdge, or even Google dorks. Search for:
site:.nl "s3.amazonaws.com" "backup""companyname.nl" "password" filetype:logIf you find anything — you’re already in the regulator’s crosshairs. Fix it now.
The Bottom Line
The GDPR fine that made a company close wasn’t a mega-corporation. It was a mid-sized Dutch SaaS provider just like you. They had customers. They had revenue. They didn’t have a pentest report.
The regulator doesn’t care that you’re busy. They don’t care that you didn’t know. Article 32 is strict liability — you either took appropriate measures, or you didn’t. A penetration test is the only way to prove you did.
Don’t wait for the email from the AP. Get your pentest. Keep your business alive.
Get your GDPR compliance proof today.
Website pentest: €299. Full manual audit: €799. AI agent pentest: €750. Security retainer: €1,500/month.
📩 DM @StackOfTruths on XFree 15-min consultation. No hard sell. Just honest answers about your GDPR exposure.
Leave a Reply