British Airways has been fined a record £183 million by the Information Commissioner's Office (ICO) over a huge data breach it suffered last year.
The airline, which is owned by IAG, said it was "surprised and disappointed" by the scale of the fine and will appeal.
The data breach saw 500,000 customers personal information stolen, including transaction details and card details. British Airways described it as a "sophisticated, malicious criminal attack" which saw customers diverted from the airline's website to a fraudulent one instead.
Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.
"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
Willie Walsh, chief executive of IAG, said: "We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals."
Alex Cruz, British Airways' chairman and chief executive, said: "We are surprised and disappointed in this initial finding from the ICO.
"British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.
"We apologise to our customers for any inconvenience this event caused."