The American hotel chain Marriott is fined 18.4 million pounds (more than 20 million euros) for a data leak from the British privacy authority in 2014.
The hotel chain has not made enough effort to protect guests' data, the Information Commissioner's Office (ICO) concludes.
These are customers of the Starwood hotel chain, which was acquired by Marriott in 2016.
The company included hotels under the W Hotels and Sheraton brands.
Marriot estimates that at least 339 million guests have become victims of the hack, but the actual number may be higher.
When the hack came out in November 2018, initial estimates spoke of half a billion victims.
Some of the victims may also have been counted twice.
Names, e-mail addresses, telephone numbers and passport numbers, among other things, were stolen by the hacker or hackers.
The data is sensitive and can, for example, be misused for identity fraud.
The amount of £ 18.4 million is considerably lower than the £ 99.2 million fine that ICO actually intended to impose.
ICO investigated the data breach on behalf of all European privacy regulators.
Since May 2018, an umbrella privacy regulation has applied in the EU, which in the Netherlands is called the General Data Protection Regulation (GDPR).