Following a major data breach in which the personal information of some 500,000 customers was compromised, British Airways has been fined £183,390 million ($230 million) for violations of the General Data Protection Regulation (GDPR) by the UK Information Commissioner’s Office (ICO). According to an ICO statement on July 8, 2019, the data protection watchdog found “that a variety of information was compromised by poor security arrangements at the c=ompany, including log in, payment card, and travel booking details as well name and address information.”

British Airways announced the data breach in September 2018, after hackers installed malware on British Airway’s website that directed customers to a fraudulent site where personal information was accessed. The fine – the highest for a data breach in violation of the GDPR to date – represents approximately 1.5% of British Airways’ annual revenue, not as high as the GDPR’s ceiling of 4% of yearly turnover.

The ICO is proving to be an activist data protection authority post-GDPR. In addition to the British Airways penalty, the ICO announced yesterday that Marriott will be fined £99 million ($123 million) after a data breach at one of the hotel chain’s subsidiaries left 339 million guests’ personal information exposed. And the ICO is not the only member state DPO to flex its enforcement muscles. In January, the French DPO fined Google $57 million for the “misuse of personal data” of its users. The Irish Data Protection Officer (DPO) is currently investigating Facebook’s data security practices after a massive data breach of 50 million accounts occurred in September 2018. If found culpable, the social media giant’s fine could reach around $1.63 billion should the maximum penalty imposed.