But,t hat's not going to get the account unlocked in any reasonable timeframe and, in fact, may simply cause BA to issue a profuse apology but to require a new email and password.

I would respond to the "audit specialist" noting that your account was not "hacked" but rather that BA has chosen to send emails to a third-party without your authority. Accordingly, changing your email and password will have no effect. Repeat the specific request that BA remove the offending email and then unlock the account.

I would expect BA to ask that you provide some form of identification in order to assure that it is not the third-party but you who is inappropriately receiving data.