It added on its website that the stolen data did not include travel or passport details.
Some angry travellers complained to Britain's Press Association that they had already noted bogus activity on credit cards that had been used to make British Airways bookings during the time when the breach was undetected.
British Airways said it had notified the police and "relevant authorities" about the breach.
"The moment we found out that actual customer data had been compromised that's when we began an all-out immediate communication to our customers, that was the priority", he said.
The airways said if you believe you have been affected, please contact your bank or credit card provider and follow their recommended advice.
There were reports of banks being inundated with calls, leaving account holders in lengthy queues, while some BA customers said they had to have cards cancelled and reissued as a result.
Investors were understandably concerned by the news, and shares in IAG sold off sharply at the market open on Friday. The same breach also hit Sears Holdings Corp., which operates Kmart stores.
The online theft saw details stolen including name, email address and credit card information, including the CVV code. It added that no future bookings will be affected.
Alex Cruz, BA's chairman has apologized for the disruption and said the company was "deeply sorry".
"This is my first involvement with BA since they left me stranded with my wife and 2-year-old daughter for a few days in Dusseldorf in December - again with no communication".
Cruz said anyone who lost out financially would be compensated by the airline.
The penalty: If it's determined that British Airways didn't do enough to protect consumer information, it could be facing a fine of up to 4 percent of its annual revenue (that works out to about 500,000 pounds).