The owner of Aer Lingus is facing a fine of £183m (€204m) from Britain's Information Commissioner's Office (ICO), after a customer data breach at British Airways.
Both carriers are part of the International Airlines Group (IAG).
The office has issued a notice of its intention to fine the British airline for infringements of the General Data Protection Regulation (GDPR).
The proposed fine - equivalent to 1.5% of its worldwide turnover for 2017 - relates to a cyber incident in September 2018.
This involved user traffic to the British Airways website being diverted to a fraudulent site, where customer details were harvested by the attackers.
The ICO says personal data of approximately 500,000 customers were compromised.
Its investigation found that a variety of information was compromised by "poor security arrangements at the company" - including log in, payment card and travel booking details, as well name and address information.
The UK's information commissioner, Elizabeth Denham, says: "People's personal data is just that - personal.
"When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
"That's why the law is clear - when you are entrusted with personal data you must look after it.
"Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
British Airways has cooperated with the investigation and has made improvements to its security arrangements, the office adds.
The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.
The ICO has been investigating this case as lead supervisory authority on behalf of other EU member state data protection authorities.
BA boss Alex Cruz says the airline was "surprised and disappointed", while IAG chief executive Willie Walsh says BA would be making representations to the ICO about the scale of the fine, and could appeal it.