United Kingdom’s Information Commissioner’s Office fined the British Airways more than £183 million (around Rs 1,568 crore) after computer hackers stole bank details from hundreds of thousands of passengers in 2018, AFP reported on Monday quoting International Consolidated Airlines Group.

The ICO said its investigation exposed poor security arrangements at the airline, Reuters reported. The hackers harvested customer details including login, payment card, name, address and travel booking information after traffic to the British Airways site was diverted to a fraudulent site, the ICO said.

“People’s personal data is just that – personal,” said Information Commissioner Elizabeth Denham, according to Reuters. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”

However, parent group International Consolidated Airlines Group said it will appeal against the fine. In a statement, it said the UK Information Commissioner’s Office intended to issue the airline with a penalty notice under the UK Data Protection Act, totaling £183.39 million. The fine is equivalent to 1.5% of British Airways’ turnover in 2017, it added.

It will “take all appropriate steps to defend the airline’s position vigorously”, IAG Chief Executive Willie Walsh was quoted as saying.

British Airway’s Chief Executive and Chairman Alex Cruz said the airline was “surprised and disappointed” by the punishment. “British Airways responded quickly to a criminal act to steal customers’ data,” he said in a statement. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

The penalty came less than a year after the regulator fined social media giant Facebook for serious breaches of data protection law.

The case

In September 2018, British Airways had revealed the data hack a few months after the European Union tightened data protection laws with the General Data Protection Regulation.

British Airways had then said hackers had carried out a “sophisticated, malicious criminal attack” on its website. The stolen data had information of the customer names, postal addresses, email addresses and credit card information. The stolen data did not involve travel or passport details.

The airline had promised to compensate affected customers after the incident and even published full-page advertisements in the newspapers to apologise to passengers.