The credit-monitoring company had "no excuse" for its failures, a UK watchdog says.
The UK fined Equifax £500,000 ($660,000) on Thursday for failing to protect the personal data of up to 15 million citizens in the 2017 cyberattack.
The credit-reporting company disclosed the breach in September 2017. Hackers managed to break into its network and access customer names, Social Security numbers, birthdates and addresses. The hack affected 146.6 million Americans as well as people in the UK and Canada.
The Information Commissioner's Office (ICO), which conducted its investigation with the Financial Conduct Authority, found that Equifax held data for longer than necessary and left it vulnerable to hackers.
The investigation was carried out under the Data Protection Act 1998 instead of the EU's stricter GDPR rules, since the incident took place before the latter came into effect.
"We are determined to look after UK citizens' information wherever it is held," said Elizabeth Denham, the information commissioner, said in a release. "Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law."
Equifax, in an emailed statement, said it's "disappointed in the findings and the penalty."
"As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect," an Equifax spokesperson said. "The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk."
Fight the Power: Take a look at who's transforming the way we think about energy.
'Hello, humans': Google's Duplex could make Assistant the most lifelike AI yet.