"We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers' data very seriously," British Airways' chairman and chief executive Alex Cruz said.
The company said it is communicating with affected customers and advised anyone who believed they may have been affected to contact their banks or credit card providers.
"We are aware of reports of a data breach affecting British Airways and are working with partners to assess the best course of action," the UK National Crime Agency said.
In June, British electronics retailer Dixons Carphone was hit by a massive data breach, with inital figures stating attackers accessed 5.9 million customer payment-card details and a further 1.2 million records containing personal information.
Analysis of malicious login attempts by country against the hotel and travel industry by researchers at Akamai found that between November 2017 and March 2018, 650 million attacks came from Russia and 625 million came from China.
"By their nature, companies in the hospitality sector often hosts a lot of personal information," Bernd Konig, director of security products at Akamai Technologies, told ZDNet at the time.
"For example, hotels have everything from guest credit card data through to identity documentation that guests might be required under local laws to provide at check in. This is exactly the kind of personal and payment data that would be considered valuable to hackers".
Meanwhile in America, a site for booking European train tickets, Rail Europe, revealed a three-month long data breach of payment information in May.
The company said hackers put credit card-skimming malware on its website between late-November 2017 and mid-February 2018, and the attackers made off with a trove of data including credit card numbers, expiration dates, card verification codes, usernames, passwords, name, gender, physical and email addresses, and phone numbers.