The Information Commissioner’s Office (ICO), the U.K. data regulator, has fined British Airways 183 million pounds over a breach that compromised information on half a million customers.
The airline, owned by IAG, says it was “surprised and disappointed” by the penalty from.
The airline revealed in September that it had been the victim of a hack. The scam saw customers diverted to a fake website where credit card details were harvested by the attackers.
The ICO said its investigation found “poor security arrangements” by BA.
The regulator said Monday that the is the biggest it has ever imposed. Until now, the biggest penalty was £500,000, imposed on Facebook for its role in the Cambridge Analytica data scandal. That was the maximum allowed under the old data protection rules that applied before GDPR.
Information Commissioner Elizabeth Denham said “the law is clear – when you are entrusted with personal data you must look after it.”
The airline’s chief executive, Alex Cruz, said he was “surprised and disappointed” by the penalty.
The fine given to BA fine is the equivalent to 1.5% of the airline’s annual turnover.