Rob Burgess, who edits a website dedicated to air travel, told The Daily Telegraph: "Data breaches are part and parcel of the world we now live in, and criminal activity is getting ever more sophisticated".
Cruz said the carrier was "deeply sorry" for the disruption caused by the attack which was unprecedented in the more than 20 years that BA had operated online.
BA advised customers to contact their bank or credit card provider and follow their recommended advice.
The theft affects reservations, ticket purchases and other bookings made between August 21 and September 5.
"Sadly this data breach is likely to knock back its efforts".
Some angry travellers complained to Britain's Press Association that they had already noted bogus activity on credit cards that had been used to make British Airways bookings during the time when the breach was undetected.
"We take the protection of our customers' data very seriously", said Alex Cruz, British Airways' Chairman and Chief Executive.
"Called bank and had to cancel both mine and my wife's card". Typically, we're lucky to get a date range of less than six months to a year, which makes a potential victim's response to any threat hard.
Paul Farrington, Head of EMEA at app security company CA Veracode also warns that things are different now, with GDPR in force.
It is also offering to pay for a credit checking service for affected holidaymakers.
In May 2017, serious problems with British Airways' IT systems led to thousands of passengers having their plans disrupted, after all flights from Heathrow and Gatwick were cancelled.
According to Reuters, the customer data, including personal and financial information involving 3,80,000 transactions, was stolen between August 21 and September 5.