British Airways-owner IAG (OTCPK:ICAGY) is facing a record $230M fine for the theft of data from 500K customers from its website last year under tough new GDPR data protection rules.

The UK’s Information Commissioner's Office proposed the penalty, which is equivalent to 1.5% of British Airways’ 2017 worldwide turnover, for the hack, which it said exposed poor security arrangements at the airline.

The big fine under GDPR has broader implications for other companies holding personal data of European users, as well as potential claims from financial intermediaries like banks and credit card processors over stolen data.

Until now, the biggest penalty was £500K, imposed on Facebook for its role in the Cambridge Analytica scandal. That was the maximum allowed under the old data protection rules that applied before GDPR.