More than 185,000 people may have had payment card details stolen in a hack attack on the BA website.
The victims were caught out by a website compromise that had gone undetected for months.
BA only discovered the breach while investigating a breach of its website in September, which affected 380,000 transactions.
BA owner IAG said both attacks seemed to have been carried out by the same group or gang.
It added that it would contact the customers to let them know that their information had gone astray.
Information about the breach was revealed in a stock exchange announcement by IAG. It said the earlier attack took place between April 21 and July 28. It only affected customers who had made bookings by cashing in BA loyalty programme rewards.
IAG said two separate groups of customers were affected by the hack attack:
- 77,000 people had their name, address, email address and detailed payment information taken
- 108,000 people lost personal details apart from the CVV number for their payment cards
So far, few other details have been revealed about this attack.
In early September, BA revealed that its website and app had been compromised between 22:58 BST on 21 August and 21:45 BST on 5 September. About 380,000 people were caught up in this incident and, said BA, details of payment cards used by 244,000 of them were affected.
"Since the announcement on September 6, 2018, British Airways can confirm that it has had no verified cases of fraud," it said.
The September attack prompted an investigation by the UK's National Crime Agency and the Information Commissioner's Office.
BA and IAG could face huge fines because the breach took place after stringent European privacy and data rules - known as the General Data Protection Regulation - came into force.