The airline, owned by IAG, has previously said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details. The information included names, email addresses, credit card information such as credit card numbers, expiration dates and the three-digit CVV code found on the back of credit cards, although BA has said it did not store CVV numbers.
The incident was first disclosed on 6 September 2018.
The Information Commissioners Office (ICO) said it was the biggest penalty it had ever handed out and the first to be made public since the General Data Protection Regulation (GDPR) was introduced and amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum of 4%, according to BBC.
So far, the biggest penalty was GBP 500,000, imposed on Facebook for its role in the Cambridge Analytica data scandal. That was the maximum allowed under the old data protection rules that applied before GDPR.
BA has 28 days to appeal. Willie Walsh, chief executive of IAG, said British Airways would be making representations to the ICO, BBC added.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now