This is the reply I got from BA, cutting out the personalised aspects.
We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app the stolen data did not include travel or passport details.
From 22:58 BST on 21 August2018 until 21:45 BST on 5 September 2018 inclusive, the personal and financial details of customers making payments on our website and app (using either new or stored card information, or Paypal) were compromised. Therefore only transactions made online or on the app during this time may be affected. Stored payment cards on your Executive account, if not used during this time, will not be affected.
We will continue to keep our customers updated with the very latest information and we will be contacting customers and will manage any claims on an individual basis. Every customer affected will be fully reimbursed and we will pay for a credit checking service. The breach has been resolved and our website is working normally. We have notified the police and relevant authorities.