British Airways and Marriott International hotels are facing a total of £282m in fines as the data watchdog signalled its intention to crack down on companies which fail to protect people’s information from cyber attacks.

In a dramatic two days, the airline was hit by a £183m fine on Monday after ‘poor security’ enabled hackers to steal the personal details of 500,000 passengers last year. In a separate incident US hotel chain Marriott was today asked to pay £99m after it was revealed last year that 339 million guests had been affected by a breach that went unreported for four years.

The fines were issued by data watchdog The Information Commissioner’s Officer under the punitive new General Data Protection Regulation (GDPR), which came into force on May 25; according to the regime, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover. The maximum under the Data Protection Act 1998 was £500,000.

The ICO also released its annual report today and in the section where it lists British Airways and Marriott being part of ‘ongoing investigations’, it also mentions Cathay Pacific, which exposed personal data of 9.4m passengers in a breach last year. An ICO spokesperson confirmed that the Hong Kong airline is also being investigated under GDPR.

Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

The watchdog stressed that both British Airways and Marriott had co-operated with the ICO investigation and has made improvements to security arrangements since these events came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.

The ICO has been investigating the cases as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators.

Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings. The ICO said it will ‘consider carefully’ representations made by the companies and any other ‘concerned data protection authorities’ before it takes its final decision.