XSS vulnerabilities feature in the OWASP Top 10, and are trivial to identify using free web application scanners.
BA are clearly accountable for this. They simply did not care enough to protect our data - and sadly nor do many other major UK organisations...
Recent research published suggests the average FTSE250 organisation exposes 35 different attack surfaces, which when fingerprinted were often found to be using outdated or unsupported web server software.
To reiterate another posts point - if BA have this level of appetite for risk i.e. "Surely that won't happen to us" - What can we expect from their aircraft engineering programme?