Credit reporting agency Equifax has been fined £500,000 after an investigation into a prolonged hack that occurred in 2017.
Taking place between 13 May and 30 July, the hack compromised more than 15 million customer records, which affected more than 146 million customers worldwide.
According to the Information Commissioner’s office (ICO), 657,423 customers had their personal details compromised, which included information such as telephone and driving license details.
The investigation said that the UK arm of Equifax had failed to ensure that the US company was protecting the data of its UK customers.
It found that customer data was being kept for longer than necessary and was left vulnerable to hackers thanks to multiple IT failures and auditing.
The company had also been warned by the US Department of Homeland Security about vulnerabilities in its systems before the hack.
Elizabeth Denham, information commissioner at the ICO, said: "We are determined to look after UK citizens' information wherever it is held.
"Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law."
She added: "Many of the people affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to have caused particular distress."
An Equifax spokesperson said: "Equifax has cooperated fully with the ICO throughout its investigation and we are disappointed in the findings and the penalty.
"As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.
"The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk."
Equifax also gathers information from the electoral roll, court records, previous credit searches, and account data shared by banks, building societies, utility companies and other organisations.
This means that people could have been affected by the breach even if they had never used the company for its credit rating services.