That was an error with potentially very grave consequences, but it seems the MoD handled it well once they were aware of it (“Soon after the data breach, the MoD contacted the people affected asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form. The MoD also conducted an internal investigation, made a statement in Parliament about the data breach, and updated the ARAP’s email policies and processes, including implementing a ‘second pair of eyes’ policy for the ARAP team when sending emails to multiple external recipients”)
I don’t think a larger fine would have made them do better, so why make it higher?
That sounds like a fine that was the maximum under the pre-GDPR regime, rather than the GDPR-era penalty regime. If the offence took place before the new rules were in force, the old penalties apply, even if the case takes some time to be resolved.
