I worked in a travel company. A customer reported being shared inadvertently another customer's personal and booking details. the cause was a software bug which we then rushed to fix. Please do report this. BA are probably blissfully unaware and likely will be mortified to find out.

If it's fixed quickly (and after it's fixed) ask BA what 'bug bounty' they'd like to pay you under the circumstances of you promptly drawing this to their attention without causing them an embarrassing fuss.

If it's not fixed quickly tell the other person who's details you now have, BA press office, FT, and the ICO.

If you have a contact in BA (say through LinkedIn) who is nothing to do with Customer Service I'd start with them. Aim to find a senior contact in the ops business, IT or PR.