British Airways (BA) is facing a 183-million-pound (229-million-U.S.-dollar) fine over a breach that compromised information on half a million customers – the biggest penalty to date under new, tougher regulations and one that is likely to be seen as a test case for companies that fail to secure big data caches.

The fine was proposed by Britain's Information Commissioner on Monday, months after BA revealed it had been the victim of a hack. The scam saw customers diverted to a fake website where credit card details were harvested by the attackers.

"People's personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience," Information Commissioner Elizabeth Denham said. "That's why the law is clear – when you are entrusted with personal data you must look after it."

The regulator declared that the proposed fine – equivalent to 1.5 percent of the airline's annual revenue – is the biggest ever imposed. It comes about a year after European Union member states began implementing the most sweeping change in data protection rules in a generation.

The General Data Protection Regulation (GDPR) is designed to make it easier for EU residents to give and withdraw permission for companies to use personal information, but also forces companies that hold data to be accountable for looking after it. Authorities can fine companies up to four percent of annual revenue or 20 million euros (22.5 million U.S. dollars), whichever is higher for breaching the rules.

The Information Commissioner's Office says its investigation of BA found that "poor security arrangements" compromised login, payment card, and travel booking details, as well as name and address information.

International Airlines Group (IAG), parent company of BA, said that plans to appeal the proposed fine and now has 28 days to make its case. This is the first step of the process, which could take some time to complete.

"We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals," said IAG CEO, Willie Walsh.

The proposed fine is the largest for the ICO, since telling Facebook to pay 500,000 pounds (663,000 U.S. dollars) for allowing the political consultancy Cambridge Analytica to forage through the personal data of millions of unknowing Facebook users.

The Facebook matter took place before the new GDPR rules came into effect and that was the maximum penalty at the time of the incident.

Monday's announcement is a watershed moment for Denham's office, marking the first major foray into what happens under the new legislation when information authorities accuse well-meaning companies of falling short in data protection regimes.

The proposed BA fine could be particularly worrying for companies that use a large amount of data, even though they have other business concerns, like flying planes. These companies really have to open themselves in terms of data security despite the cost and the risk of high fines, said Emily Taylor, CEO of Oxford Information Labs, a cybersecurity consultancy.

"(The information commissioner's office) is going for a very big signal to the entire marketplace," Taylor said. "This is the message: Get your information security house in order."