British Airways is at risk of a $230 million penalty after a website glitch led to the exposure of personal data belonging to approximately 500,000 customers.

The extensive data breach has resulted in a record fine under the European Union’s General Data Protection Regulation (GDPR), which was enacted last year.

The fine comes in response to a report by the UK Information Commissioner’s Office stating that inadequate security protocols enabled cyber attackers to redirect user traffic from the British Airways site to a fake page as early as June 2018. British Airways will have the opportunity to dispute these findings to avoid the fine.

The perpetrators operating the counterfeit site managed to access hundreds of thousands of customer records over several months. These records contained usernames, passwords, credit card details, and booking information, as detailed by the UK Information Commissioner’s Office. The airline disclosed the incident in September 2018.

The penalty imposed by the Information Commissioner’s Office amounts to roughly 1.5% of British Airways’ annual revenue. CEO Alex Cruz expressed surprise and disappointment at the preliminary ruling, claiming, “British Airways took swift action in response to this criminal act of data theft. We have detected no evidence of fraudulent activity or misuse of accounts related to the breach.” The GDPR rules that led to the fine aim to ensure the secure collection and storage of data by companies. With data breaches attracting increased scrutiny and legal consequences in the EU, British Airways still has the opportunity to contest the penalty.