Marriott has now become the second company to face a serious General Data Protection Regulation (GDPR) fine.

The US hotel group suffered a serious data breach last year, and is now facing a $123 million fine.

A GDPR statement explains, “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

This second fine comes just after British Airways was slapped with a $229 million fine months after reporting a serious data breach which saw the personal information of about 500,000 customers leaked. The Marriott was hit with a huge cyber attack in September of 2018, but the incident was reported in November. At first, the prognosis was far gloomier, as it was thought that 500 million customers’ personal information was compromised. More information came out in March of 2019, when Marriott’s Group CEO Arne Sorenson reported the details. According to Sorenson, 383 million guest records, 9.1 million encrypted payment card numbers and 18.5 million encrypted password numbers were breached. There were also 385,000 valid payment card numbers and 5.25 million unencrypted passport numbers which were breached.