It would be the biggest penalty, but still under a tough private rule called the General Data Protection Regulation, which came into force last year in the EU.
The British Information Officer's Office said that weak security allowed user traffic to be diverted from the British Airways website to a fraudulent site beginning in June 2018. The regulator said the company would have a chance to contest the proposed fine.
Attacks were able to reap customer information, including logins, payment cards and travel order details, according to the regulator. The airline revealed the incident in September 2018.
The fine of $ 183.4 million ($ 230 million) is about 1.5% of British Airways annual sales. The carrier owned by IAG ( ICAGY ) said that it would fight the penalty.
"We are surprised and disappointed by this first finding," said British Cruz, CEO Alex Cruz in a statement.
"British Airways responded quickly to a criminal offense to steal customers' data. [or] fraudulent activity on theft-related accounts," he added.
GDPR forces companies to ensure that the way they collect, process and store data is safe. Any organization that holds or uses data about people in the EU is subject to the rules, regardless of where it is based. Companies that break the law can be fined up to 4% of their annual income.
"People's personal information is just that. Personal. When an organization does not protect it from loss, damage or theft, there is more than one disadvantage, Information Commissioner Elizabeth Denham said in a statement." Therefore, the law is clear – when you are trusted personal information, beware of it. "