The Information Commissioner’s Office (ICO) of the United Kingdom announced it will fine Equifax £500,000 for a data breach that occurred in 2017.

In a monetary penalty notice filed on 19 September, the ICO revealed its decision to impose the maximum fine specified in section 55A of the Data Protection Act 1998 on Equifax.

The penalty addresses a data security incident that occurred between 13 May and 30 July 2017, a timeline which prevented the ICO from investigating the breach under the European Union’s General Data Protection Regulation (GDPR).

According to the notice, Equifax failed to verify it had scrubbed its U.S. systems of 15 million UK citizens’ personal information after it moved a product containing that information to the United Kingdom. It also neglected to take proper safeguards to patch a critical vulnerability in the Apache Struts 2 web application framework of which it learned from the U.S. Department of Homeland Security’s Computer Emergency Readiness Team in March 2017.

These and other oversights enabled attackers to exploit the Apache Struts in the consumer credit reporting agency’s U.S. customer-facing online disputes portal. The attack compromised the sensitive personal information of nearly 150 million Americans along with the data of 15 million UK citizens.

A spokesperson for Equifax said that the agency was “disappointed in the findings and the penalty.” As quoted by BBC News:

As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect. The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.

For her part, UK Information Commissioner Elizabeth Denham justified the penalty on the grounds that the security incident “undermine[d] consumer trust in digital commerce” and affected “a global firm whose business relies on personal data.”