The person you need to contact is the BA Data Controller. They should be very concerned and they should have processes and resources in place to conduct and investigiation and hopefully get to the root cause. They usually sit outside of IT in a central governance/compliance team reporting directly to C-level execs, and can usually wield considerable control in a large organisation.

To avoid the need to use snail mail, maybe use the BA.com Official account on FT to ask for the email address of the Data Controller (or give them your email so they can contact you). I would not disclose the detail of the breach to others. You will probably need to supply them a copy of the email you received with all email headers attached. This will give them the SMTP message ID which will enable them to [hopefully] forensically go back in time in BA's systems to see what triggered the email to be sent in the way that it was. You might also want to signal to the data controller that it's not the first time this issue has been reported on the FT forums, although it's unlikely they will want to be drawn into commenting too much on that to a member of the public.

As far as I can tell, the OP was not the "data subject" of the breach - so your ability to understand whether the investigation that is conducted by BA is satisfactory or not will be very limited. However you should get a good sense of whether BA are taking it seriously or not.