The airline reported that people using ba.com and its mobile app for bookings were targeted by hackers between 21 August and 5 September.
The stolen data did not include travel or passport details, according to BA, although it remains unclear if any other personal information was compromised.
BA said anyone who believed they might have been affected should contact their bank or credit card provider and follow their recommendations.
Around 380,000 payment cards were compromised.
The airline said the hack continued for nearly two weeks, between August 21 and September 5, with 380,000 payments compromised.
The move is also accord with GDPR provisions, which require organizations in the United Kingdom to report certain types of personal data breach to ICO within 72 hours of learning about the incident.More news: HURRICANE CENTER: Florence may become threat to U.S. East Coast
Bookings that were made were not affected, and the British Airways website and app were operating normally on Thursday. Affected customers were being contacted by staff and the police were investigating, it added.
It said customers due to travel could check in online as normal as the incident had been resolved.
Alex Cruz, British Airways' chairman and chief executive said: "We are deeply sorry for the disruption that this criminal activity has caused".
To make sure their message reaches a large portion of its customers, British Airways pinned the breach announcement on its Twitter page, for all its 1.17 million followers to see.
British Airways has announced a new codeshare agreement with Indian domestic carrier Vistara.