Ride-hailing company Uber Technologies Inc. has been hit with more than $1 million in fines over its cover up of a 2016 breach that exposed 57 million customers’ personal data—a penalty that could have been higher under the May 2018 implemented General Data Protection Regulation.

San Francisco-based Uber’s latest fines, which totaled a combined $1.17 million, came from the U.K. and the Netherlands. On Tuesday, the U.K.’s Information Commissioner’s Office announced it fined Uber £385,000 ($491,824). In a press release, the ICO said Uber failed “to protect customers’ personal information during a cyber attack” and that 82,000 U.K.-based drivers were impacted.