The thefts occurred during a data breach that affected bookings made on the airline's website between Aug. 21 and Sept. 5.
Around 380,000 card payments were "compromised", it said.
BA's servers were infiltrated in a "very sophisticated, malicious criminal" attack, BA Chairman and Chief Executive Alex Cruz said. It immediately contacted customers when the extent of the breach became clear.
The airline said that the hackers obtained names, street and email addresses, credit card numbers, expiry dates and security codes - sufficient information to steal from accounts. It notified customers as soon as possible after data breach. No travel or passport details were stolen.
Cruz said the carrier was "deeply sorry" for the disruption caused by the sophisticated crime, which was unprecedented in the more than 20 years that BA had operated online.
He said the attackers had not broken the airline's encryption but did not explain exactly how they had obtained the customer information.
"There were other methods, very sophisticated efforts, by criminals in obtaining the data," he told BBC radio. "It was having access to our systems in an illicit way, it was very sophisticated."
British Airways informed customers affected by the attack on Thursday, Cruz said. It advised them to contact their bank or credit card provider and follow their recommended advice. It also took out ads in national newspapers on Friday.
Cruz said anyone who lost out financially would be compensated by the airline.
The data breach has been resolved and BA's is working normally.