Poor security arrangements allowed the theft of various types of customer information from British Airways, a UK data-protection regulator has disclosed.
The Information Commissioner's Office says it believes 500,000 customers of the carrier had their personal data "compromised" during last year's incident.
It intends to fine BA more than £183 million for infringement of the European Union's General Data Protection Regulation.
The office says that, following an "extensive" investigation, it believes the incident began around June last year.
User traffic to the BA website was diverted to a fraudulent site which enabled customer details to be harvested by cyber criminals.
"A variety of information was compromised by poor security arrangements at the company, including log-in, payment card, and travel booking details, as well name and address information," says the office.
BA has co-operated with the investigation, it adds, and has since improved its security arrangements.
The airline is planning to put its case to reduce the severity of the fine, which equates to 1.5% of its global turnover for 2017, and the office says it will "consider carefully" any representation from BA on the matter.
Chief executive Alex Cruz says the carrier has apologised for any "inconvenience" to customers from the event.
But UK information commissioner Elizabeth Denham stresses the seriousness of the situation.
"People’s personal data is just that – personal," she says. "When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
"That’s why the law is clear. When you are entrusted with personal data you must look after it.
"Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."