Uber Technologies, already facing a range of legal and regulatory headaches in London, got another Tuesday after it was fined $491,000 (GBP 385,000) over a cyber-attack that compromised the data of millions of customers and tens of thousands of drivers.

The Information Commissioner’s Office said the personal details of about 2.7 million UK customers, including email addresses and phone numbers, may have been downloaded during a 2016 hack. Clients weren’t told for more than a year and the company paid the hackers $100,000 (roughly Rs. 70 lakhs) to destroy the data. In addition, information about 82,000 drivers was exposed.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” Steve Eckersley, the ICO’s director of investigations, said in a statement. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

The fine comes as Uber battles London drivers over their employment status and the number of benefits they are entitled. It was only in June that the ride-sharing company was given a new 15-month probationary license to operate in the UK capital after transport regulators raised concerns about its gung-ho attitude and the safety of passengers.

The Dutch Data Protection Authority also fined Uber over the attack Tuesday.

Uber said that its made changes in technology and leadership since the incident.

“Earlier this year we hired our first chief privacy officer, data protection officer, and a new chief trust and security officer,” the San Francisco-based company said in a statement. “We learn from our mistakes and continue our commitment to earn the trust of our users every day.”

© 2018 Bloomberg LP