BA says the breach is now resolved, but customers may have had their personal and financial information exposed if they made bookings in the last couple of weeks. Specifically, the affected period is from 10:58 p.m. BST (2:58 p.m. PT) on Aug. 21 and 9:45 p.m. BST (2:45 p.m. PT) on Sept. 5.
The stolen data did not include passport or travel info, according to the airline. Both the British Airways app and website were hit by the breach.
About 380,000 card payments were affected by the breach, Reuters reports, citing International Airlines Group, BA's parent company.
BA says it will be contacting customers who were affected, and advises them to contact their banks and credit card providers.
Alex Cruz, CEO of BA, said in a statement, "We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers' data very seriously."
The data breach involved customers who booked through BA in a certain timeframe, similar to previous hacks that affected Best Buy and Adidas.
Watch this: A Concorde gets a new home
A supersonic life: The story of Concorde Alpha Foxtrot