The cyber attack, which Marriott disclosed last year, exposed information on 339 million guest records, including 7 million related to British residents, the U.K. Information Commissioner’s Office said in a statement Tuesday. It’s the second time in two days the regulator has taken advantage of far-reaching European Union powers after proposing a $230 million (£183.4 million) penalty against British Airways.

The proposed fine also highlights an emerging risk in mergers and acquisitions with the ICO blaming Marriott for failing to conduct sufficient due diligence on its acquisition of Starwood Hotels & Resorts. The hack likely took place in 2014 and targeted a Starwood database, two years before the company was acquired by Marriott.

Related: Marriott responds to Starwood data breach