The Information Commissioner's Office plans to hit the airline over a data breach that affected 500,000 customers.
The Information Commissioner's Office in the UK on Monday revealed its plan to slap British Airways with a £183.4 million ($230M) fine over a 2018 data breach, one of the ICO's biggest fines since the General Data Protection Regulation came into effect. The breach is believed to have impacted 500,000 people, the regulator noted.
The breach, which BA disclosed in September, saw people visiting its website being diverted to a fraudulent site, where details including name, billing address, email address and payment information were harvested.
The initial disclosure said the breach happened between August and September, impacting 380,000 card payments. The airline later said that 185,000 people who made bookings between April and July may have been similarly compromised.
Information Commissioner Elizabeth Denham said in a statement that "the law is clear" when it comes to people's personal data.
"When you are entrusted with personal data you must look after it," she wrote. "Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
The $230 million fine is 1.5% of BA's global turnover for the year, its parent company International Airlines Group noted in a statement. Under GDPR, companies can be fined the equivalent of $22.4 million or 4% of their total annual worldwide revenue in the preceding financial year, whichever is higher.
"We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers' data," Alex Cruz, BAs's chairman and chief executive, said. "We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused."
Willie Walsh, IAG's chief executive, noted that the company plans to appeal the fine. It has 28 days to do so, our sister site ZDNet noted.
First published at 3:26 a.m. PT.
Updated at 4:55 a.m. PT: Adds more detail.