Customers who made bookings between 5:58 p.m. ET on August 21 through 4:45 p.m. ET on September 5 should expect to be contacted by British Airways.
The airline's chairman, Alex Cruz, said that the hackers were "very sophisticated criminals" who had gained access to BA's system rather than infiltrating their encrypted data.
British Airways promised compensation on Friday to about 380,000 customers affected by a data breach this summer.
The police and relevant authorities have also been notified. "The moment that actual customer data had been compromised, that's when we began immediate communication to our customers". "We advise every client who thinks that this incident might be related to his bank or credit card provider and to follow their instructions", BA notes.
For a period of close to two weeks (August 21 to September 5), British Airways recorded a severe breach of its data by hackers.
It said customers due to travel could check in online as normal as the incident had been resolved.
Commenting on the breach, Israel Barak, Chief Information Security Officer at Cybereason, said: "The British Airways breach once again sheds light on the difficulty companies have protecting the proprietary information of their customers that is their backbone".
However, some customers claim they had not been contacted and found out via the news or Twitter.
Under new data protection rules, the airline was obliged to issue a breach notification within 72 hours of it being detected.
"As an industry until we can start making cybercrime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts". The important thing now, said the cybersecurity expert, is for the firm to take this opportunity to improve their security measures.
"In July, British Airways canceled dozens of flights in and out of London's Heathrow Airport, affecting thousands of passengers", NPR's Frank Langfitt reports from London.
The airline was roundly criticised for its handling of a power failure in May a year ago which resulted in thousands of flight disruptions and cancellations. If you receive any emails purporting to be from this incident or such like mentioning it asking for any personal information or to click on unverified links, discard them. "The stolen data did not include travel or passport details", a statement from the company read.