The stolen data did not include passport information or travel details.
Chief executive Alex Cruz says the company is "100% committed" to compensating customers who have had financial information stolen.
BORK-PRONE AIRLINE British Airways (BA) has suffered a hack that saw the financial details of its customers stolen.
The company said there was evidence that some of the data "may have left our systems", although the records did not contain payment card or bank account details and there was no evidence that any fraud has resulted.
Both the British Airways app and website were hit by the breach.
It was communicating with affected customers but advised any others who believed they might have been affected to contact their banks or credit card providers.
Cruz said the hack was not a breach of the airline's encryption.
Shares in BA's parent company, IAG, were down 2 percent on Friday. It immediately contacted customers when the extent of the breach became clear.
To make matters worse, if BA is verified not to have taken appropriate measures to secure customer data, it can face a fine of up to $650 million due to the infamous GDPR regulation in place.
The airline also apologized to its customers in a full-page ad in British newspaper Metro on Friday.
The company's mobile app was also breached, officials said.
Cybersecurity experts speculated that the inclusion of CVV numbers meant that hackers had copied customers' data as they were typing it into the BA website, rather than stealing it from a database.
In July, almost 7,000 passengers had their flights to or from Heathrow cancelled after a failure of an IT system provided to BA by Amadeus, a Spanish IT provider for global travel industry.
"It is now a race between British Airways and the criminal underground", said Reschke, head of threat intelligence at Trusted Knight.