BA, which is owned by International Airlines Group (IAG), has said criminal activity put the personal and financial details of thousands of customers at risk over a 15-day period.
The airline said it was investigating the breach, which took place from 11pm on August 21 until 9.45pm on Wednesday.
Multiple regulators have been contacted about the data hack, including the National Crime Agency, the National Cyber Security Centre and the Information Commissioner’s Office (ICO).
In a statement, an ICO spokesperson said: “British Airways has made us aware of an incident and we are making inquiries.”
BA’s data breach took place after the introduction of the new Data Protection Act, which includes the provisions of the new European General Data Protection Regulation (GDPR).
Under the new regulations, the maximum penalty for a company hit with a data breach is a fine of either £17 million or 4 per cent of global turnover, whichever is greater.
In the year ended December 31 2017, BA’s total revenue was £12.2 billion, meaning the company could face a fine of around £500 million if the ICO takes action.
Dixons Carphone is also being investigated by the ICO for the massive hack that it revealed in June.
However, the retailer’s breach began in July last year, which may allow the company to side-step the larger fines imposed under the new regulation.
BA said it is co-operating with all the relevant regulators following the data breach.
Speaking on the BBC, Alex Cruz, BA’s chairman and chief executive, said: “There was a very sophisticated, malicious criminal attack on our website.
“We became aware initially on that day, and we began to work on it. We discovered that something had happened, and immediately we began to work.”
Shares in IAG were down more than 3 per cent in morning trade.