British Airways and the hotel chain Marriott are facing record-breaking fines for failing to protect customers’ personal information in two separate data breaches.

Britain’s Information Commissioner’s Office this month issued a $230 million (£183.4 million) fine – the largest ever imposed by the ICO – against British Airways for a data breach last year that exposed about 500,000 customers’ personal information.  The ICO followed that ruling with a $124 million fine (£99 million) against Marriott for a data breach that started in 2014 but wasn’t discovered until November 2018 and exposed 339 million guests’ information. Some of the data compromised in the incidents included customers’ names, addresses, passwords, credit card numbers, and travel information.

With that stolen information, identity thieves can attempt to apply for loans, open new credit cards, clone debit cards, switch a billing address, obtain a new driver’s license, and use the false identity when questioned by police.

The ICO levied the fines under the General Data Protection Regulation, which was enacted last year in a call for stricter digital privacy laws in the European Union. The regulation is far-reaching to protect EU citizens’ personal information online globally. Under the regulation, companies can be fined up to 4% of their annual revenue or $22.4 million (20 million euros), whichever is greater, if found in violation of data protection laws.

British Airways and Marriott officials said they plan to appeal the fines.