British Airways is facing a record fine of £183m for last year’s breach of its security systems.
The airline, owned by IAG, says it was “surprised and disappointed” by the penalty from the Information Commissioner’s Office (ICO).
At the time, BA said hackers had carried out a “sophisticated, malicious criminal attack” on its website.
The ICO said it was the biggest penalty it had ever handed out and the first to be made public under new rules.
The General Data Protection Regulation (GDPR) came into force last year and was the biggest shake-up to data privacy in 20 years.
The penalty imposed on BA is the first one to be made public since those rules were introduced and amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum of 4%.
Until now, the biggest penalty was £500,000, imposed on Facebook for its role in the Cambridge Analytica data scandal. That was the maximum allowed under the old data protection rules that applied before GDPR.
The ICO said the incident took place after users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of around 500,000 customers were harvested by the attackers, the ICO said.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”