The reaction was forced by GPDR legislation which puts BA directly on the hook for a percentage of turnover. They simply were not able to react in anything more than a completely defensive way, because anything giving a hint of liability puts them in the line of fire for a big fine. And having had a fairly chunky fine imposed, they're hardly going to exceed that with an even more chunky settlement to consumers.

GDPR is really an appalling piece of legislation. It's framed essentially as a tech tax against big internet concerns, and doesn't benefit consumers in the slightest because the fines go to the state, they don't go to pay compensation to people affected. So any indirect or direct goodwill payments to individuals have to be limited to reduce overall costs of settlement and implied liability. Privacy laws are great, all for that, but the state cash grab framework really is a problem. I don't think people really understand just how damaging this piece of legislation is to their interests, and how dishonestly it's been set up by its architects.