The Equifax credit agency was fined £ 500,000 for not protecting the personal information of up to 15 million Britons during a 2017 cyberattack.
A recent investigation by the Information Commissioner (ICO) revealed that the company's UK arm has not taken adequate steps to ensure that US parent company Equifax Inc., which processes data on its behalf, protects the information.
The ICO's investigation, conducted in parallel with the Financial Conduct Authority, revealed several errors at the credit bureau, which resulted in personal data being kept longer than necessary and vulnerable to unauthorized access.
It noted that the measures that needed to be taken to manage personal data were inadequate and ineffective, while investigators found significant problems with data retention, IT systems patching and audit procedures.
The investigation also revealed that the US Department of Homeland Security had already warned Equifax Inc of "critical vulnerability" in March 2017.
The personal data lost or compromised during the incident ranged from names and dates of birth to addresses, passwords, driver's license and financial details.
The incident, which took place between May 13 and July 30, 2017 in the US, affected 146 million customers worldwide.
The investigation of the ICO was carried out in accordance with the Data Protection Act of 1998 and not under the current General Data Protection Regulation (GDPR), and the fine is the maximum permitted under previous legislation.
Information Commissioner Elizabeth Denham said: "The loss of personal information, particularly in the case of potential financial scams, not only upsets customers, but undermines consumer confidence in digital commerce.
"This is reinforced when the company is a global company whose business is based on personal information.
"We are determined to take care of the information of UK citizens wherever they happen, and Equifax Ltd has received the highest possible fine for its own because of the number of victims, the nature of the data at risk and because there is no excuse Policies and controls as well as the law. "
She added, "Many of the people affected did not know that the company had stored their data, and knowledge of the cyberattack would have been unexpected and likely to have caused particular distress.
"Multinational data companies like Equifax need to understand what personal information they have and take robust steps to protect it, and their boards must ensure that internal controls and systems function effectively to meet legal requirements and customer expectations.
"Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, which resulted in today's fine."
An Equifax spokesman said: "Equifax has been fully cooperating with the ICO throughout its investigation, and we are disappointed with the results and the punishment.
"As the ICO clarifies in its report, Equifax has successfully implemented a wide range of measures to prevent the recurrence of such criminal incidents and confirms the now strengthened procedures.
"The criminal cyber attack on our US parent last year was a crucial moment for our company, and we apologize again to all vulnerable consumers.
"Data security and the fight against criminal digital activities are a constant struggle for all organizations, which requires constant innovation and attention, we have acted and are continuing to make things right for consumers and they will always be our priority."
Additional reporting by Press Association