The U.K.’s data regulator has slapped Facebook with a maximum £500,000 fine (U.S. $641,000) for serious breaches of data protection rules after users’ data was “unlawfully processed” and subsequently used to guide political advertising and campaigns as part of the Cambridge Analytica scandal.

Between 2007 and 2014, Facebook allowed third-party application developers access to the personal information of tens of millions of users without their consent—around one million of which were based in the United Kingdom. Worse still, their data was accessible even if they had not downloaded the app—developers could access it simply if they were “friends” on Facebook with people who had.

One developer, Dr. Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide without their knowledge. A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica, which was involved in political campaigning in the United States.

The Information Commissioner’s Office (ICO) said Facebook “failed to make suitable checks on apps and developers using its platform.”

The regulator also criticised Facebook for failing to take action when it detected incidences of massive data misuse in December 2015, such as forcing developers to delete the information they held. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.

In a statement, Elizabeth Denham, Information Commissioner, said: “Facebook failed to sufficiently protect the privacy of its users before, during, and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”

The fine, which represents a drop in the ocean for a company with global revenues of $40 billion, was the maximum available to the regulator under old data protection legislation, since the data misuse occurred before the EU General Data Protection Regulation (GDPR) came into force. Under the new data rules, the company could have faced a substantially higher fine of up to £1.2 billion (U.S. $1.54 billion)—a point the regulator made very clear in its statement.

Facebook is also facing an investigation by the Irish data regulator over an unconnected data breach discovered in September, which could result in a record fine as it would be enforced under GDPR.

In response to the ICO’s findings, Facebook said in a statement: “While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.”

Facebook also said that it wants the ICO to allow it access to Cambridge Analytica’s servers so that it can audit the data it received.

In a video message at the 40th International Conference of Data Protection and Privacy Commissioners in Brussels on Wednesday, Facebook CEO Mark Zuckerberg expressed regrets over the company’s poor handling of users’ data, while its vice president and chief privacy officer, Erin Egan, who was in attendance, said that the company was taking greater steps to improve transparency, accountability and users’ control of data.