When an airport gets infested by rats, you don't blame rats for that. You blame the management.

Same with hackers. They are out there, period. Nothing BA could do would change that. But BA can very well control how well IT security is implemented, and obviously, it did not do a good job at that. I hope GDPR will result in huge fines to BA - because only hitting the bottom line will force the company to take IT security seriously, instead of outsourcing the IT to the lowest bidder.