The United Kingdom Information Commissioner Office (ICO) proposed to slap a GBP183.4 million pound (USD229.3 million) fine on British Airways (BA, London Heathrow) for last year's data breach.

"The law is clear - when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights," Information Commissioner Elizabeth Denham said.

In September 2018, British Airways notified an incident in which user traffic was directed to a fraudulent website. The attack, which started in June 2018, affected some 500,000 customers and exposed data such as login, payment card, and travel booking details as well name and address information.

The fine is the highest ever imposed by the ICO and the first governed by the new EU General Data Protection Regulation (GDPR) rules, which went into effect in 2018. Before that, the ICO penalties were legally capped at GBP500,000 pounds (USD625,000).

"[BA] will now have opportunity to make representations to the ICO as to the proposed findings and sanction. The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision," the office said.

The airline said it was "surprised and disappointed" with the level of the proposed penalty.