The U.K. plans to fine British Airways 183.4 million pounds ($230 million) over computer attacks that exposed customer data, marking the first major application of far-reaching European Union rules requiring companies to tighten anti-hacking measures.

The proposed penalty relates to data theft affecting about 500,000 customers between June and September last year, the U.K. Information Commissioner’s office, which protects data privacy, said in a statement Monday. BA parent IAG SA said the fine amounts to 1.5% of the airline’s 2017 revenue.

The ICO said the hack involved BA’s website traffic being diverted to a fraudulent site through which customer details were harvested, adding that security was compromised by poor protection of functions related to log-in, payment card, and travel booking details, as well name and address information.

“We are surprised and disappointed in this initial finding from the ICO,” British Airways Chairman and Chief Executive Officer Alex Cruz said in the statement.

IAG shares fell 1.5% to 449.8 pence at 8:06 a.m. in London.

BA had initially said its systems were compromised from Aug. 21 through Sept. 5 and that about 380,000 transactions had been affected, with Cruz describing the attack as sophisticated, malicious and criminal. At the time, it advised people to contact credit card providers to manage the breach and said stolen data didn’t include travel or passport details.

Cruz said Monday the airline responded quickly and hasn’t found any evidence of fraud on accounts linked to the theft.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,“ IAG CEO Willie Walsh said in the statement.

The EU’s General Data Protection Regulation allows, which took effect on May 25, 2018, requires companies to take technical precautions such as encryption to ensure customer data is protected. It also states that firms must notify authorities about breaches within 72 hours after learning about them.

Violations may lead to fines of as much as 4% of a company’s annual sales.