While it seems obvious to make the connection, are there actually any links between the BA credit card and an Avios account that a hacker could exploit? Obviously they transfer across, but the login details surely must be completely different?
It seems more likely to me (not in any way a qualified security expert!) that your email or computer was hacked and they got the information from that. Not that it really helps you - presumably you're already being vigilant over all your accounts and have changed all your passwords?