>According to the Beeb, the maximum fine is £500,000.
Yep - it needs a amending to per user not incident. Where the 157,000 had their bank details leaked maybe £10K a head dropping to maybe £1K a head for email/hashword combo. Rising up to the full whack (or higher) when someone ends up dead or injured.
Unlikely to change or attract Government interest in changing it when the company is run by a Conservative Peer of course - which is why she is worth every penny of her £2.8 million