The U.S. Securities and Exchange Commission has imposed fines totaling $750,000 on eight entities under brokerage firms Cetera, Cambridge Investment Research and KMS Financial Services over malicious attacks on their employees’ email accounts that exposed personally identifiable information belonging to thousands of the firms’ clients, TechCrunch reported.

The fines were a consequence of the companies’ failure to implement proper cybersecurity policies and procedures to prevent unauthorized access to their cloud-based worker email accounts, the SEC said in a press release.

The SEC said Cetera’s case involved threat actors infiltrating the cloud email accounts of more than 60 staff for more than three years, leading to the exposure of more than 4,388 personal customer information, adding that it found none of the breached accounts with protections required under the company’s policies.

The orders against Cambridge and KMS likewise stated that the companies failed to adopt and implement additional firm-wide cybersecurity practices for years after the first account takeovers were discovered.