BA says personal and financial data of customers making bookings through its website and app between 10.58pm on August 21 and 9.45pm on September 5 has been compromised.
"The breach has been resolved and our website is working normally," said BA in a statement on Thursday evening (September 6). "We have notified the police and relevant authorities.
"We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously."
Sky News reports the theft could extend to data relating to as many as 380,000 payment cards.
No passport or travel details were stolen, BA has confirmed.
The airline says it will contact affected customers directly to advise them of what has happened.
It is though advising them to contact their banks and/or credit card providers and follow their recommended advice.
Passengers can change their ba.com password as a precaution.
Any imminent travel plans or future bookings are unaffected and passengers continue to be able to check-in as usual.