The hotel chain said in a regulatory filing Tuesday that Britain’s Information Commissioner’s Office intends to impose a £99 million ($124 million) fine under the General Data Protection Regulation (GDPR).
The regulator said that the penalty stems from a Marriott data breach that exposed 339 million guest records globally, including 30 million Europeans. Marriott has said the hack began in 2014 but was only discovered in November 2018, shortly before it reported the breach.
It’s the second major fine proposed by the regulator this week. On Monday, the ICO said that British Airways (ICAGY) faces a £183.4 million ($230 million) fine after a breach compromised data on 500,000 customers.
Marriott (MAR) said that it would appeal any fine imposed by the regulator.
“We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect,” Marriott International CEO Arne Sorenson said in a statement.
GDPR forces companies to make sure the way they collect, process and store data is safe.
Any organization that holds or uses data on people inside the European Union is subject to the rules, regardless of where it is based. Companies that breach the law can be fined up to 4% of their annual revenue.