Apologies if this has already been posted, at work and haven't been able to keep up with the thread, but this article gives what I consider to be a good indication of what happened:
https://www.bbc.co.uk/news/technology-45446529
It sounds as if it was either some malicious code that was placed directly to the BA website (quite sophisticated and targeted) or more likely a compromised third party plugin (ad. tracker, feedback widget etc) - which would mean that there may well be other websites affected...