Personally I don't think this is claim worthy but if you must extract something from BA then go ahead.

Think on how many times you have given that number out? How many of the recipients are totally trustworthy?

I have in the past used unique individual "from" addresses for emails to third parties and regularly receive spam emails to those addresses so the practice, in the UK at least, of businesses allowing leaked info to nefarious folks is alive and well, despite the efforts of the Data Protection regimes.