I suppose it had to happen; the first big fine under GDPR in the UK for a data breach; 1.5% of its worldwide revenue. https://www.bbc.co.uk/news/business-48905907
This case, although painful for BA, will and should be raised as a what if risk example at all senior executive boards in forthcoming weeks. I would be interested if anybody in this community has any references or good examples of non technical briefings as to the web site hack.
You are right. The ICO's intended fine isn't the maximum. For British Airways, the potential fine amounts to 1.5% of its annual turnover in 2017, under half of the maximum GDPR penalty of 4% of annual turnover. If the ICO had deemed it appropriate, it could have issued a fine of over £450m.
But this is four times the size of the previous largest fine – that €50m penalty was issued to Google by the French data protection authority for a lack of transparency in its advertising