BA are definitely erring on the side of caution with notifying people. My nearest transaction to the dates mentioned is 20 August, a clear day before they say the hack began. This is entirely understandable; it is even worse (for PR and regulatory impact) repeatedly and incrementally to say "oh, and a few more people may be hacked" than to notify a superset in the first instance. False negatives are worse than false positives for BA.