British Airways faced a fine of record £183m over a data breach that affected about 380,000 transactions last year, said the company.
The fine amounts 1.5 percent of the airline’s total worldwide turnover of its financial year ending in December.
The Information Commissioner’s Office (ICO) issued the fine against BA, a subsidiary of International Airlines Group (IGA), under the General Data Protection Regulation (GDPR) which came into force last year.
The penalty was the largest one after a £500,000 fine imposed on Facebook last year for its role in the Cambridge Analytica data scandal, which was the maximum allowed under the old data protection rules.
The ICO said the penalty is the first to be made public under new rules and the biggest shake-up to data privacy in 20 years.
However, the airline can appeal within 28 days while the Chief Executive of IAG, Willie Walsh, said it would appeal against the penalty.
"We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals," said Walsh.
The breach, which was first disclosed on 6 September 2018, affected customers data including names, email addresses, credit card information such as credit card numbers, validation date and the three-digit CVV code found on thee back of credit cards. However, BA claimed it did not store CVV numbers.
Alex Cruz, BA's chairman and chief executive, said it was “surprised and disappointed” by the penalty.
He said "British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.
"We apologise to our customers for any inconvenience this event caused."