Britain’s privacy watchdog on Monday announced its intention to fine British Airways, the country’s second-largest airline, nearly £183.4 million ($229.5 million) citing a security weakness in the airline’s website that enabled hackers to harvest the personal information of customers.
The U.K. Information Commissioner’s Office (ICO) issued a notice concerning the proposed fine citing infringements of the General Data Protection Regulation (GDPR). The incident was the result of poor security arrangements at the company, the ICO said in a statement.
“People’s personal data is just that—personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience,” said Information Commissioner Elizabeth Denham. “That’s why the law is clear—when you are entrusted with personal data you must look after it.”
She added: “Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
More than 500,000 customers were compromised as a result of the incident, according to British Airways. The company has advised that anyone who made bookings or changes to bookings between August 21, 2018, and September 5, 2018, may be a victim.
The airline has said names, billing addresses, email addresses, and all bank card details were at risk. No passport or travel details were stolen, it said.
Alex Cruz, British Airways’ chairman and chief executive, told Gizmodo the company was “surprised and disappointed” by the ICO’s proposal. “British Airways responded quickly to a criminal act to steal customers’ data,” he said. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
Willie Walsh, chief executive of International Airlines Group, which owns British Airway, said the company intends to take “all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
The potential £183.4 million fine against British Airways would be the largest fine imposed by the UK under GDPR since the law went into effect in May 2018, according to the BBC. The previous largest fines by the ICO include a £500,000 penalty levied against Facebook for its role in the Cambridge Analytica debacle—£500,000 being the maximum fine under the UK’s previous data protection rules—and a £500,000 fine against Equifax for its 2017 data breach, which reportedly affected up to 15 million UK residents.
The ICO has not yet issued a formal decision concerning the penalty and said it is considering input from British Airways as well as other data protection authorities. The watchdog also noted the airline has cooperated with the investigation and said it has already made improvements to its security.