The UK’s data watchdog has announced plans to fine the airline British Airways a record £183 million over last year’s data breach. The Information Commissioner’s Office (ICO) said that “poor security arrangements” at the company lead to the breach of credit card information, names, addresses, travel booking details, and logins for around 500,000 customers. The fine would be the largest the ICO has ever issued, BBC News reports, far more than the £500,000 fine against Facebook for the Cambridge Analytica scandal that affected millions. British Airways will now have 28 days to appeal the ruling before it is made final.

In a statement, the Information Commissioner Elizabeth Denham said that the loss of personal data is “more than an inconvenience” and said that companies should take appropriate steps “to protect fundamental privacy rights.”

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The fine comes less than a year after the regulator fined Facebook just £500,000 for the Cambridge Analytica scandal, which affected as many as 87 million users. If that sounds small to you, that’s because it most definitely was. However, Facebook’s fine was the maximum legal amount allowed under the UK’s previous data privacy regulation, the 1998 Data Protection Act. At the time regulators said it would have been “significantly higher” under the new GDPR rules. GDPR allows a company to be fined a maximum of 4% of its worldwide turnover; BA’s fine amounts to 1.5 percent of its 2017 revenue.

Responding to the news, British Airways’ chairman and chief executive Alex Cruz said that the company was “surprised and disappointed” by the ICO’s decision, and added that the company has found no evidence of fraudulent activity on accounts linked to the breach. The ICO notes that the company cooperated with its investigation, and has made security improvements since the breach was discovered.