The ICO has proposed a penalty of $230m (£183.4m) – or 1.5 per cent of British Airways’ 2017 worldwide turnover – for the hack, which it said had exposed poor security arrangements at the airline.

The cyber attack involved traffic to the British Airways (BA) website being diverted to a fraudulent site, where customer details such as log in, payment card and travel booking details, as well as names and addresses, were harvested, the ICO said.

“People’s personal data is just that – personal,” said information commissioner, Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft is more than an inconvenience. That’s why the law is clear: when you are entrusted with personal data, you must look after it.”

In response to the proposal by the ICO, BA’s chairman and chief executive Alex Cruz said he was “surprised and disappointed” by the proposed penalty.

“British Airways responded quickly to a criminal act to steal customers’ data,” Cruz said. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

Willie Walsh, CEO of parent company IAG, said BA plans to appeal against the ICO’s proposed fine: “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals”.

The fine was the result of European data protection rules, better known as GDPR, which came into force in May 2018. The new rules allow regulators to fine companies up to 4 per cent of their global turnover in the event that they fail to protect customer’s data.

Shares in IAG had fallen by 0.8 per cent to 452.7 pence by 08:10 GMT today, with analyst Gerald Khoo at broker Liberum adding that the proposed fine equated to about 9 pence per IAG share.

The ICO, which could impose fines up to £500,000 under previous rules, had also investigated BA on behalf of other European regulators.

In 2018, ICO fined Facebook £500,000 for serious breaches of data protection law and its role in the Cambridge Analytica data-sharing scandal. It said the penalty would have “inevitably have been significantly higher under GDPR.”

The ICO has proposed a penalty of $230m (£183.4m) – or 1.5 per cent of British Airways’ 2017 worldwide turnover – for the hack, which it said had exposed poor security arrangements at the airline.

The cyber attack involved traffic to the British Airways (BA) website being diverted to a fraudulent site, where customer details such as log in, payment card and travel booking details, as well as names and addresses, were harvested, the ICO said.

“People’s personal data is just that – personal,” said information commissioner, Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft is more than an inconvenience. That’s why the law is clear: when you are entrusted with personal data, you must look after it.”

In response to the proposal by the ICO, BA’s chairman and chief executive Alex Cruz said he was “surprised and disappointed” by the proposed penalty.

“British Airways responded quickly to a criminal act to steal customers’ data,” Cruz said. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

Willie Walsh, CEO of parent company IAG, said BA plans to appeal against the ICO’s proposed fine: “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals”.

The fine was the result of European data protection rules, better known as GDPR, which came into force in May 2018. The new rules allow regulators to fine companies up to 4 per cent of their global turnover in the event that they fail to protect customer’s data.

Shares in IAG had fallen by 0.8 per cent to 452.7 pence by 08:10 GMT today, with analyst Gerald Khoo at broker Liberum adding that the proposed fine equated to about 9 pence per IAG share.

The ICO, which could impose fines up to £500,000 under previous rules, had also investigated BA on behalf of other European regulators.

In 2018, ICO fined Facebook £500,000 for serious breaches of data protection law and its role in the Cambridge Analytica data-sharing scandal. It said the penalty would have “inevitably have been significantly higher under GDPR.”