The European Commission is ready to impose a £183.4 million fine on British Airways for its failure to protect the personal details of 500,000 customers.

The UK’s Information Commissioner confirmed that since June 2018 the company’s weak security allowed user traffic to be diverted from its website to a fraudulent page. British Airways is planning to contest the fine, which would set a record for violating the EU’s General Data Protection Regulation (GDPR).

Under EU rules, any organisation that holds or uses data on people inside the EU and fails to protect them can be fined up to 4% of its annual revenue. According to Information Commissioner Elizabeth Denham, “when you are entrusted with personal data you must look after it.”

To place the EU fine in perspective, before the GDPR came into effect, the UK’s Information Commissioners Office fined Facebook £500,000 for its role in the Cambridge Analytica scandal.