The airline, owned by the International Airlines Group, says it is "surprised and disappointed" by the penalty from the Information Commissioner's Office (ICO).
At the time, BA said hackers had carried out a "sophisticated, malicious criminal attack" on its website.
The ICO said it was the biggest penalty it had handed out and the first to be made public under new (GDPR) rules.
The ICO said the incident took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said.
UK Information Commissioner Elizabeth Denham, who is the equivalent to our Privacy Commissioner, said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.
"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
The ICO said the incident was believed to have begun in June 2018.
They also stated that a variety of information was "compromised" by poor security arrangements at the company. BA initially said information involved included names, email addresses, credit card information such as credit card numbers, expiry dates and the three-digit CVV code found on the back of credit cards.
A potential victim, David Champion believes that the BA data breach probably led to his credit card being used fraudulently.
He says he was notified that his card had been used in an attempt to buy items at Harrods by phone while he was in Malaysia.
"BA are claiming there were no fraudulent transactions from the leak. My card details, I don't think, weren't exposed anywhere else," he told the BBC.
The transaction was rejected, and Mr Champion was not left out of pocket.
"BA contacted me in August/September about the breach, that addresses and emails were leaked. Later they said credit card details were too," he added. He was worried as he knew he had used BA's site twice and said that it was right that BA was being penalised for the incident.
The watchdog said BA had co-operated with its investigation and made improvements to its security arrangements.
And it happens on this side of the world too. The Australian Bureau of Statistics (ABS) has recently published new data on the IT landscape of Australian businesses, reporting that in 2017-18, 11% of those surveyed had experienced some form of internet security incident or breach.
While 71% of the 832,000 businesses surveyed said they did not experience some form of internet security incident, nearly 18% said they did not know if they had.
Of those who experienced an internet security incident or breach, over 37% suffered the corruption of hardware or software; 29% experienced the corruption or loss of data and 52% experienced downtime of service.
Perhaps even more importantly 7.5% experienced the theft of business, confidential, or proprietary information and 12.5% reported the loss of income as a result.
All this despite the fact that the ABS said in 2017-18, more than half of businesses with 200 or more employees upgraded cybersecurity software, standards, or protocols.
According to the ABS data, less than half the businesses surveyed used cloud computing services in 2018.
The main reason for limiting or preventing the use of paid cloud computing services was the risk of a security breach, with some businesses concerned they would be hit if they moved to the cloud or they would have problems accessing data or software.
Under the new Privacy Act, currently going through its final stages in NZ parliament, it will be mandatory to report harmful data breaches. But you won’t be hit by the type of massive fine that hit BA…. the maximum fine under the new legislation is NZ$10,000!
Sources: BBC and ABS Business Characteristics Survey