Canadian federal agency said Equifax Inc. and its Canadian unit fell far short of their privacy obligations, following an investigation into the 2017 data breach at the credit reporting company.

The agency, which protects the privacy rights of individuals, analyzed the impact of the cyber-attack that affected more than 143 million people, including 19,000 Canadians. They found the reason to be the inadequate security safeguards that deteriorated with the cyber-attack.

“Given the huge amounts of highly sensitive personal information Equifax holds…it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices,” said Daniel Therrien, the privacy commissioner of Canada. The regulator said, “The Company has entered in a compliance agreement to address these concerns and submit audit reports to its security and that of its parent to the OPC every two years for the next six years.”

“This process allows on-going monitoring of compliance with Canada’s federal private sector privacy law, including assessing the steps taken by Equifax since the breach,” OPC said in a statement.