The U.K. data regulator is fining British Airways 183 million pounds ($229 million) over a breach that compromised information on half a million customers.
The airline revealed in September that it had been the victim of a hack. The scam saw customers diverted to a fake website where credit card details were harvested by the attackers.
Britain's Information Commissioner's Office says its investigation found "poor security arrangements" by BA.
The regulator said Monday that the fine — equivalent to 1.5% of the airline's annual turnover — is the biggest it has ever imposed.
Information Commissioner Elizabeth Denham said "the law is clear - when you are entrusted with personal data you must look after it."
The airline's chief executive, Alex Cruz, said he was "surprised and disappointed" by the penalty.