A council has been fined £100,000 after 30,000 emails containing sensitive information were downloaded.
The Information Commissioner's Office (ICO) issued the fine to Gloucester City Council after a cyber attack by the group Anonymous.
Sally Anne Poole, from the ICO, said the lapse was a "serious oversight".
The council said it took "swift and reasonable steps" in 2014 as soon as it was alerted to the vulnerability, adding it is considering an appeal.
Managing director of the council, Jon McGinty said he believed the penalty issued by the ICO will have a "serious and detrimental" impact on the authority's finances.
"The council did account for the risk of this potential fine in its accounts for 2016-17 but, nevertheless, its payment will only result in money being taken away from the people of Gloucester and given to Treasury," he added.
The ICO found the council did not have sufficient processes in place to make sure its systems had been updated while changes to suppliers were made.
Ms Poole said: "The council should have known that, in the wrong hands, this type of sensitive information could cause substantial distress to staff.
"Businesses and organisations must understand they need to do everything they can to keep people's personal information safe and that includes being extra vigilant during periods of change or uncertainty."