The ICO said it was the biggest penalty it had handed out and the first to be made public under new rules.
The ICO said the incident took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said.
Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience."
BA said it was all unfair as hackers had carried out a "sophisticated, malicious criminal attack" on its website.
Jake Holloway, a Director at Crossword Cybersecurity, on the message this sends to all companies that handle personal data. Crossword Cybersecurity focuses on the development and commercialisation of university research-based cyber security and risk management related software and cyber security consulting.
“Today’s fine from the ICO should not be a surprise to anyone. The Commissioner has made it clear how seriously the ICO regards the protection of personal information”, he said.
It should send a shiver down the spine of every company holding such data. They too could find themselves under the crosshairs of hackers, and then regulators, he said.
“And it’s no longer just about what happens on your IT assets – CISOs and Procurement Managers need to co-operate to close the cyber back door! Every company should regularly review not only its own IT and security policies, but those of their whole supply chain. Trying to keep your own ship in order is no longer good enough, when your partners can leave you exposed to cyber risks too.”