The Information Commissioner’s Office (ICO) says it intends to issue the airline with a penalty notice under the Data Protection Act.
The proposed penalty is £183.4m, representing 1.5 per cent of BA’s worldwide revenue in 2017.
In September 2018, British Airways’ chairman and chief executive, Alex Cruz, revealed what he called “a very sophisticated, malicious attack”.
Cyber criminals stole personal and financial information from hundreds of thousands of customers who booked direct with the airline over a two-week spell in August and early September.
Details of payment cards, including the number, expiry date and three-digit security code or “card verification value” (CVV) were illegally extracted from the reservations system.
The following month, BA said that passengers who had made bookings through its Avios scheme between April and July 2018 were also at risk.
Customers were told: “If you believe you have been affected by this incident, then please contact your bank or credit card provider and follow their recommended advice.”
The airline said it would indemnify customers who suffered financial harm.
The Information Commissioner, Elizabeth Denham, said: “People’s personal data is just that – personal.
“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Mr Cruz said: “We are surprised and disappointed in this initial finding from the ICO.
“British Airways responded quickly to a criminal act to steal customers’ data.”
He said no evidence had been found of any fraudulent activity on accounts linked to the theft.
BA is part of the International Airlines Group, whose chief executive, Willie Walsh, said: “British Airways will be making representations to the ICO in relation to the proposed fine.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
Under the General Data Protection Regulation (GDPR), fines can be up to four per cent of annual global revenue. BA’s total revenue in the year to 31 December 2017 was £12.2bn, making the maximum possible fine £488m.
After a cyber attack on TalkTalk in 2015, which affected fewer than half as many customers as the airline breach, the telecom firm was fined £400,000. In 2018, Facebook was fined £500,000 for its role in the Cambridge Analytica data scandal. These penalties were under the old data protection rules.
The proposed penalty for British Airways is equivalent to just over £4 for each passenger expected to fly on BA this year.
The airline has four weeks to appeal. The ICO said it will “will consider carefully” the representations made by the airline before it takes its final decision.