The hack began in June 2018 when customer traffic to the British Airways website was diverted to a fake Web page and personal data was hacked. (Simon Dawson/Bloomberg)

British Airways is facing a nearly $230 million fine after the personal data of 500,000 customers was stolen online last year.

The United Kingdom’s Information Commissioner’s Office blamed the breach on the company’s “poor security arrangements” in a Monday statement, unveiling what would be a record fine under the European Union’s new landmark privacy rule called the General Data Protection Regulation.

The hack began in June 2018 when customer traffic to the British Airways website was diverted to a fake Web page and personal data was hacked, including customers’ names, addresses, log-in information, payment cards and travel booking details. British Airways disclosed the breach in September.

Information Commissioner Elizabeth Denham said the law regarding the protection of personal data is clear.

“When you are entrusted with personal data you must look after it,” she said in the statement. “Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Alex Cruz, chairman and chief executive of British Airways, said in a statement that the company is “surprised and disappointed” by the fine.

“British Airways responded quickly to a criminal act to steal customers’ data,” he said. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

The Information Commissioner’s Office said British Airways has cooperated with the investigation. Still, the office proposed the record penalty of 183.39 million British pounds, or about 1.5 percent of British Airways’ annual revenue, under the General Data Protection Regulation, or GDPR, which was passed by the European Union last year.

Odia Kagan, an attorney for Philadelphia-based Fox Rothschild LLP who chairs their GDPR compliance and international privacy practice, said the last fine by the Information Commissioner’s Office was 500,000 British pounds, or about $625,000. That had been the maximum fine until the new privacy law was introduced in May of last year.

“GDPR changed dramatically the scope of fines that can be levied on companies with the intent of making the significance of privacy violations on par with violations of antitrust or violations of anti-money laundering,” Kagan said.

British Airways, which is owned by International Airlines Group, said it has since improved its security. IAG’s chief executive, Willie Walsh, said in a statement that the airline would fight the proposed penalty.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” Walsh said.

IAG’s stock dropped by nearly 1.4 percent on the London Exchange.