The website of British racing and sports betting newspaper Racing Post was hit with a SQL injection attack in October 2013 that enabled an attacker to access a database of registered customers, according to a Thursday news release from the Information Commissioner’s Office (ICO).

677,335 accounts were compromised, with information including names, addresses, dates of birth, phone numbers and passwords.

An ICO investigation revealed that Racing Post had not applied updated security patches following penetration testing on its website in 2007 and, additionally, there were issues with the way Racing Post stored the customer data, according to the release.

Racing Post will be adding routine security testing and policies for regular security updates, the release indicates, adding Racing Post dodged fines of up to half a million pounds because financial data was not stolen.