British Airways faces a record £183.39 million fine for a data breach last year that compromised the personal information - including payment card details - of hundreds of thousands of people.
The breach saw users of BA's website diverted to a fraudulent site, through which details of about half a million people were harvested.
Credit card numbers, expiry dates and CVV codes were all taken, along with names, addresses and travel booking information.
Information Commissioner Elizabeth Denham says: "People’s personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
"That’s why the law is clear - when you are entrusted with personal data you must look after it."
BA chief executive Alex Cruz says the airline is "surprised and disappointed" by the ICO finding. It has 28 days to appeal.