The airline said around 380,000 transactions were affected. Data stolen included names, email addresses and some credit and debit card information.
BA though stressed the breach did not include travel plans or passport details.
The fine is the largest handed out, to date, by the Information Commissioner’s Office (ICO) and the largest since GDPR came in to force last year, eclipsing the £500,000 slap on the wrist Facebook received for its part in the Cambridge Analytica scandal.
The total fine of £183,390,000 equates to 1.5% of BA’s worldwide turnover for the year ending 31 December 2017.
BA chairman and chief executive Alex Cruz said the airline was “surprised and disappointed” by the ICO penalty.
“British Airways responded quickly to a criminal act to steal customers’ data,” said Cruz. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused."
Willie Walsh, chief executive of BA parent IAG, added the airline would discuss the decision with the ICO and potentially lodge an appeal.
“British Airways will be making representations to the ICO in relation to the proposed fine,” said Walsh. “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
BA made two disclosures relating to the data breach, the first on 6 September 2018 containing the bulk of the theft, and the second on 25 October 2018.
