The Information Commissioner’s Office intends to fine British Airways for a data breach suffered by the carrier last September.
In a statement, the U.K.-based regulator says it will fine the airline £183.34 million for an infringement of the General Data Protection Regulation (GDPR).
Last September British Airways notified the ICO of a cyber attack which included customers diverted from BA.com to a fraudulent site.
It is believed about 500,000 customer details were hacked.
The data breach, believed to have started in June last year, involved information such as log-in information, payment card and travel booking details.
The ICO statement points to “poor security arrangements at the company and Information Commissioner Elizabeth Denham goes on to say: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”
The statement adds that BA has taken steps to improve security since the events of last year.
Subscribe to our newsletter below
The carrier can now make “representations” to the ICO regarding the findings and the fine.
In a statement BA chairman and chief executive Alex Cruz says: "We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
IAG chief executive Willie Walsh adds that BA will take "all appropriate steps to defend the airline's position vigorously."
GDPR, which came into effect last year, forces companies to report personal data breaches to the ICO.
Following a spate of cyber attacks last year on high profile companies such as Facebook, studies revealed consumers were less likely to want to share personal data.
The 2018 IATA Global Passenger Survey revealed a five percentage point dip to 65% of passengers who said they were comfortable sharing additional personal information.