British Airways faces a £183.4 million ($A328.8 million) penalty after an enormous theft of customer data from the airline’s website last year.

The airline’s owner, IAG, said the British Information Commissioner’s Office intends to impose the record fine – which equates to 1.5 per cent of British Airways’ worldwide turnover for 2017.

The airline revealed last September that the credit card details of about 500,000 of its customers were stolen in an attack on its website and app.

The hack involved diverting users of British Airways’ website to a fraudulent site. The ICO said the data theft had exposed poor security arrangements at British Airways.

“People’s personal data is just that – personal,” Information Commissioner Elizabeth Denham said.

“When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”

BA chairman and chief executive Alex Cruz said the airline was surprised and disappointed at the ICO finding.

“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft,” he said, adding an apology to customers for any inconvenience caused.

Willie Walsh, International Airlines Group’s chief executive, said BA would make representations to the ICO in relation to the proposed fine.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he said.

The record fine is the product of European data protection rules that came into force in 2018. They allow regulators to fine companies up to 4 per cent of their global turnover for data-protection failures.

-with AAP