Hot on the heels of British Airways, all-embracing hotel group Marriott is set to face the wrath of the UK‘s data aloofness regulator.

The country’s Information Commissioner’s Office (ICO) said it plans to fine the US-based chain £99 actor ($123 million) under EU GDPR laws for a data breach that apparent claimed capacity of over 339 actor guests.

Seven actor of the afflicted users were UK residents, and 30 actor accompanying to association of 31 countries in the European Economic Area (EEA).

The adventure apropos a 2014 data breach of hotel aggregation Starwood, which was acquired by Marriott in 2016. The breach, however, wasn’t detected until November 2018.

Information Commissioner Elizabeth Denham said companies accession claimed data have a legal duty to assure them, and that ICO will not alternate to take strong action if that doesn’t happen.

“The GDPR makes it clear that organisations must be answerable for the claimed data they hold,” Denham said. “This can accommodate accustomed out proper due activity when making a accumulated acquisition, and putting in place proper accountability measures to assess not only what claimed data has been acquired, but also how it is protected.”

The latest ICO fine comes a day after UK airline British Airways was hit with an even larger amends of £183 actor ($229 million). The BA fine was the better ever issued by the ICO, and the first under the EU General Data Aegis Regulation (GDPR) laws.

The adapted regulations, which went into effect last year, state that the ICO can seek a fine of up to 4 percent of a company’s common annual acquirement in the prior banking year. This marks a cogent access on the best fine of up to £500,000 it could levy under the UK‘s antecedent data aegis guidelines.

Marriott said it would appeal againt the fine.

“We are aghast with this notice of intent from the ICO, which we will contest,” CEO Arne Sorenson said. “Marriott has been allied with the ICO throughout its analysis into the incident, which complex a bent attack adjoin the Starwood guest catch database.”

It’s quite hasty that the aggregation got off with a almost light amends given the extent of the breach. But make no mistake. The ICO binge is only a start and should put companies that deal with claimed data on high alert.

Read next: Roomba i7 review: It’s been 62 days since I picked up a vacuum