UK media are reporting the information includes credit card details, residential addresses and email details but the airline said the hackers had not accessed itineraries or passport details.
The airline said in a statement it was investigating “as a matter of urgency” the theft of customer data from its website and mobile app.
The breach took place between August 21 and September 5.
“The breach has been resolved and our website is working normally,’’ the airline said. “We have notified the police and relevant authorities.
“We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”
The airline said it was contacting affected customers directly and advising them to contact their banks or credit card providers “and follow their recommended advice”.
It said customers would still be able to check-in and and travel.
On the question of compensation, BA said it would contact customers and manage any claims on an individual basis.
Britain’s National Crime Agency said in a tweet it was aware of the reported breach and was “working with partners to assess the best course of action”.
The theft comes as unions have been critical of moves by British Airways to outsource IT work to India.
An IT failure in 2017 saw more than 700 flights canceled and left more than 75,000 passengers stranded.
Alex Neill, the managing director of home products and services at British consumer group Which? said in a statement: “British Airways customers will be concerned to hear about this data breach. It is now vital that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.
“Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it.” (AR)