UNITED NEWS INTERNATIONAL (UNI) – Yahoo’s U.K. branch was fined £250,000 ($335,000) by the U.K. Information Commissioner’s Office over a data breach affecting more than half a million people.

The incident, which allegedly compromised personal data including names, email addresses, security questions and hashed passwords, took place in 2014 but wasn’t reported until 2016.

Legally, Yahoo should have reported the breach immediately, instead of waiting two years.

Yahoo said in 2016 “state-sponsored” hackers stole the data.

However, the ICO blames Yahoo, saying it failed to take appropriate measures to protect the data, leading to accounts being compromised.

The ICO deputy commissioner of operations said in a report on June 12, the case highlights the importance of organizations protecting personal information.

Meanwhile, data protection rights have changed since the ICO’s investigation. Under the new data protection act, the public has more control and choice over their personal data.