The two biggest fines ever imposed under the General Data Protection Regulation were leveled by the UK’s Information Commissioner’s Office in July. Both dwarfed the €50 million ($56.3M) imposed by France against Google in January. The ICO fined British Airways £183.4 million ($230 million) and Marriott £99.2 million ($124 million), for data breach-related violations. For Marriott it must have been a bitter pill. The offending breach, which obtained personal information from more than 300 million guests and former guests, originated in a hotel chain that Marriott acquired, and it may have been set in motion nearly two years before the acquisition. Worse for Marriott, the company reported the breach in May of last year, some months after the GDPR went into effect, at which point it superseded the previous data protection act, which had lower penalties. Thus, explains reporter Neil Hodge, Marriott ended up being “handed a fine nearly 200 times larger for reporting a 4-year-old breach 6 months late.” The Marriott case, says one expert with both accounting and cybersecurity credentials, should serve as a warning that companies need to check third party security protocols as well as those of their own.