Written by Greg Otto

Credit monitoring giant Equifax has been hit with the maximum penalty from the UK’s data protection agency for its actions related to the company’s massive data breach.

The U.K. Information Commissioner’s Office issued a fine of £500,000 (about $664,000) for failure to protect information tied to 15 million U.K. residents.

Equifax announced in October 2017 that along with the 145 million U.S. residents impacted by the breach, a file containing 15.2 million records on U.K. citizens was also “attacked.” That number included over 693,000 U.K. residents that had their email address, phone number, driver’s license number or username and password combination stolen.

The fine ties back to the U.K. Data Protection Act of 1998, a law that has been superseded by the European Union’s General Data Protection Regulation (GDPR). The Equifax breach occurred prior to GDPR’s activation.

The fines under GDPR would be extensively larger. Under the new law, companies that suffer a data breach can be fined as much as €20 million or 4 percent of an organization’s annual global revenue, whichever is greater.

“We are determined to look after UK citizens’ information wherever it is held,” Elizabeth Denham, the UK’s information commissioner said in a released statement. “Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”

Equifax did not have comment at the time of this article’s publication. CyberScoop has reached out and will update this story when we hear from the company.