(Reuters) — A British regulator on Thursday fined credit reference company Equifax Inc.’s U.K. arm, Equifax Ltd., £500,000 ($653,400) for failing to protect the personal information of up to 15 million people in Britain during a 2017 cyber attack.

The Information Commissioner’s Office said in a statement its investigation found that although Equifax systems in the United States were compromised, Equifax Ltd. was responsible for the personal information of its customers in Britain.

Equifax said its U.K. office received the Monetary Penalty Notice from the ICO on Wednesday and was evaluating the notice and its response.

Equifax added that it cooperated fully throughout the investigation.

The cyber attack, which took place between May 13 and July 30, 2017, affected 146 million Equifax customers globally, the ICO said.

The British arm of the company failed to take appropriate steps to ensure its American parent company, Equifax Inc., which was processing the data on its behalf, was protecting the information, the ICO said.

It said the investigation, carried out in parallel with the Financial Conduct Authority, revealed multiple failures at the company, which led to personal information being retained for longer than necessary and vulnerable to unauthorized access.

The personal information lost or compromised ranged from names and dates of birth to addresses, passwords, driving licenses and financial details.

Equifax contravened five out of eight data protection principles of the Data Protection Act 1998, including failure to secure personal data, poor retention practices and lack of legal basis for international transfers of U.K. citizens’ data, the ICO said.

The ICO found that measures that should have been in place to manage the personal information were inadequate and ineffective. Investigators found significant problems with data retention, information technology system patching and audit procedures.

The investigation also found that the U.S. Department of Homeland Security had warned Equifax about a critical vulnerability as far back as March 2017 and that sufficient steps to address the vulnerability were not taken, the ICO said.

As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers’ defaulting.

Equifax first disclosed in September 2017 that it had been the target of a massive data breach, mostly in the United States.