British Airways faces a fine of £183m for a data breach in which customers’ credit card data was stolen – but says there is no evidence of harm to passengers.

The Information Commissioner’s Office (ICO) says it intends to issue the airline with a penalty notice under the Data Protection Act.

The proposed penalty is £183.4m, representing 1.5 per cent of BA’s worldwide revenue in 2017.

In September 2018, British Airways’ chair and chief executive Alex Cruz revealed what he called “a very sophisticated, malicious attack”.

Cybercriminals stole personal and financial information from hundreds of thousands of customers who booked direct with the airline over a two-week spell in August and early September.

World's safest airlines 2019 Show all 19 1 /19 World's safest airlines 2019 World's safest airlines 2019 Eva Air Eva Air Getty Images World's safest airlines 2019 Austrian Airlines Austrian Airlines Getty Images World's safest airlines 2019 KLM KLM Getty World's safest airlines 2019 Qatar Qatar Getty Images World's safest airlines 2019 Lufthansa Lufthansa Getty Images World's safest airlines 2019 Hawaiian Airlines Hawaiian Airlines Getty Images World's safest airlines 2019 Alaska Airlines Alaska Airlines Getty Images World's safest airlines 2019 SAS SAS Getty Images World's safest airlines 2019 Finnair Finnair Getty Images World's safest airlines 2019 Emirates Emirates Getty Images World's safest airlines 2019 Cathay Pacific Cathay Pacific Getty Images World's safest airlines 2019 British Airways British Airways Getty Images World's safest airlines 2019 Singapore Airlines Singapore Airlines Getty Images World's safest airlines 2019 All Nippon Airways All Nippon Airways Getty Images World's safest airlines 2019 Air New Zealand Air New Zealand Getty Images World's safest airlines 2019 Swiss Swiss Getty Images World's safest airlines 2019 American Airlines American Airlines Getty Images World's safest airlines 2019 United United Getty Images World's safest airlines 2019 Virgin Atlantic and Australia Virgin Atlantic and Australia Getty Images

Details of payment cards, including the number, expiry date and three-digit security code or “card verification value” (CVV) were illegally extracted from the reservations system.

The following month, BA said that passengers who had made bookings through its Avios scheme between April and July 2018 were also at risk.

Customers were told: “If you believe you have been affected by this incident, then please contact your bank or credit card provider and follow their recommended advice.”

The airline said it would indemnify customers who suffered financial harm.

The information commissioner Elizabeth Denham said: “People’s personal data is just that – personal.

“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Mr Cruz said: “We are surprised and disappointed in this initial finding from the ICO.

“British Airways responded quickly to a criminal act to steal customers’ data.”

He said no evidence had been found of any fraudulent activity on accounts linked to the theft.

Support free-thinking journalism and attend Independent events

BA is part of the International Airlines Group, whose chief executive Willie Walsh said: “British Airways will be making representations to the ICO in relation to the proposed fine.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

Under the General Data Protection Regulation, fines can be up to 4 per cent of annual global revenue. BA’s total revenue in the year to 31 December 2017 was £12.2bn, making the maximum possible fine £488m.

After a cyberattack on TalkTalk in 2015, which affected fewer than half as many customers as the airline breach, the telecom firm was fined £400,000. In 2018, Facebook was fined £500,000 for its role in the Cambridge Analytica data scandal. These penalties were under the old data protection rules.

The proposed penalty for British Airways is equivalent to just over £4 for each passenger expected to fly on BA this year.