I think this issue is valid though. My passport details are stored in my EC profile, that could be very useful to a phisher! The QXL "apology" email is an excellent example of this - it came from a polish mail server, and there seemed to be no way to link it back to BA for sure.

Also, the use of ba.com, and britishairways.com is confusing. Other websites like batraveltrade.com, batravelshops.com, baplc.com, bashares.com, and baholidays.com add even more to this.

I think the simplest would be for all these alternative domains to forward to ba.com/traveltrade or ba.com/holidays etc. That way it's clear what the website is, that it's owned by BA, and it's not a phishing exercise.