But U.K. information regulators could end up fining British Airways over the breach.
BA said on Thursday evening: "British Airways is investigating, as a matter of urgency, the theft of customer data from its website, ba.com and the airline's mobile app".
"The moment we found out that actual customer data had been compromised that's when we began an all-out immediate communication to our customers, that was the priority", Alex Cruz, BA's chief executive and chairman, told BBC radio.
Under a new European Union data protection law introduced this year, companies that don't protect their customers from privacy and data breaches can be fined as much as 4 percent of their annual global revenue.
Future bookings will not be affected, BA said.
The police and relevant authorities have also been notified.
"There was a very sophisticated, malicious criminal attack on our website".
He said the company was "100% committed to compensate" customers.
Cruz said the hack was not a breach of the airline's encryption.
"Atrocious that I had to find out about this via news and twitter", he tweeted.
A spokesman for the Information Commissioner's Office said they would be making inquiries about the data theft.
Customers are being advised that should they be concerned about potentially being at risk, then they should consider changing their online passwords, monitor bank and other online accounts and be wary that fraudsters may refer to the breach in scam emails. It is now vital that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.
British Airways experienced an IT-related crisis in May past year when roughly 75,000 passengers were stranded after the airline cancelled more than 700 flights over three days because of system problems. The airline said affected customers should follow their bank or provider's recommended advice.