British Airways has been ordered to pay a record $230 million fine after alleged violation of the General Data Protection Regulation, a new privacy law that was passed in the European Union last year.

The carrier’s website failure is reported to have compromised private data of about 500,000 customers. The website’s weak security features enabled user data to be re-directed from the carrier’s website to a fraudulent website since June 2018, the UK Information Commissioner’s Office said.

The hackers collected customer details including login credentials, payment card details and travel booking information.

The fine would be a record under the new data privacy rule. The proposed fine is about 1.5 % of the firm’s annual revenue.

The regulator confirmed that the company has a chance to challenge the imposed fines. British Airways has said it will contest the decision. British Airways CEO Alex Cruz said “We are surprised and disappointed in this initial finding,” He added that the company found no evidence of fraud [or] fraudulent activity on accounts linked to the theft.