British Airways (BA) faces a fine of more than £183m from the UK's data protection authority over a security lapse that exposed personal data belonging to about 500 000 customers to hackers last year. According to a report on the Out-Law.com site, in September 2018, the airline reported that it had been a victim of a cybersecurity incident that saw personal and financial details of customers compromised. At the time, BA CE Alex Cruz described the incident as a ‘sophisticated, malicious criminal attack’, which impacted on customers who had made bookings and changes on its website and app. The Information Commissioner's Office (ICO) in the UK opened an investigation into the incident. According to the ICO, the hackers diverted BA's customers to a fake website designed to look like the company's official site where their data was then captured. The ICO said it had identified ‘poor security arrangements at the company’, although it said BA had taken steps to improve security since the breach occurred. However, the ICO said it believed BA was responsible for breaching the General Data Protection Regulation (GDPR) and it outlined its intention to fine the company £183.39m. It would be the first major fine issued by the ICO since the GDPR took effect in May 2018. British Airways has the right to make representations to the ICO before the authority makes a final decision on whether to impose a fine and, if so, the level of penalty to issue. The company has said it would challenge the ICO's provisional findings.