This is the largest fine the ICO has handed out to date.
The incident in question left the details of 500,000 customers in cyber criminals hands after users were diverted to a fraudulent website.
Information stolen included names, email addresses, credit card numbers, expiry dates and the three-digit CVV codes.
Philip Greaves, Director and GDPR lead, Protiviti commented, “Whilst the fine is significant, this is well within the boundaries of GDPR and so is not totally unexpected, and we had heard chatter at various conferences that there may be imminent fines coming out. Given the risk profile of British Airways and previous attacks over the last few years, British Airways clearly needs to be investing heavily in driving stronger cyber controls. The Regulators are not expecting attacks to stop happening, only that organisations have sufficient controls in place to limit the risk to data subjects."