After a Data Breach, British Airways Faces a Record Fine

LONDON — The British authorities said on Monday that they intended to order British Airways to pay a fine of nearly $230 million for a data breach last year, the largest penalty against a company for privacy lapses under a new European data protection law.

Poor security at the airline allowed hackers to divert about 500,000 customers visiting the British Airways website last summer to a fraudulent site, where names, addresses, login information, payment card details, travel bookings and other data were taken, according to the Information Commissioner’s Office, the British agency in charge of reviewing data breaches.

In a statement British Airways said it was “surprised and disappointed” by the agency’s finding and would dispute the judgment.

The penalty signals a new era for companies that experience large-scale data breaches. Frustrated that businesses were not doing enough to protect people’s online information, European policymakers last year adopted a new law, the General Data Protection Regulation, known as G.D.P.R., which allows regulators in each European Union country to issue fines of up to 4 percent of a company’s global revenue for a breach. And by acting against an iconic British brand, officials showed that enforcement would not be limited to American-based tech companies, which have been seen as a primary target.

Previously, fines by the Information Commissioner’s Office were capped at 500,000 pounds, or about $625,000. That was the fine it imposed on Facebook last year for allowing Cambridge Analytica to harvest information on millions of users without their consent.

Facebook and Google are among other companies currently under investigation by the European authorities over breaches of the landmark law.