British Airways is facing a $229 million fine after suffering a cyberattack in September 2018.
The Information Commissioner's Office (ICO) said the incident took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, said a BBC report.
The incident was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details, the report said.
The ICO said a variety of information was "compromised" by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
According to the BBC report, the penalty imposed on BA is the first one to be made public since GDPR rules were introduced, which make it mandatory to report data security breaches to the information commissioner.
Oleg Kolesnikov, Head of Securonix Threat Research Labs, told Security magazine: "While the fine is not the full 4% fine possible under GDPR, it still the largest GDPR-based fine to-date roughly amounting to the cost of two new aircraft, and clearly shows the business impact of cybersecurity. At the same time, based on the in-depth technical security investigations of the BA breach we performed back in 2018 and our continuous security monitoring, BA was not unique in that there were many other businesses targeted by the Magecart malicious threat actors using the same or very similar attack vectors. Furthermore, the malicious threat actors have been continuing the attacks following the BA breach at an even larger scale infiltrating more than 2,000 e-commerce businesses this year alone, so this should send a clear signal that organizations have a responsibility for protecting personal data, and the need to make cybersecurity a business imperative."