Shares of British Airways' parent company IAG fell around 4% as markets opened on Friday morning, hours after the airline said the credit card information of at least 380,000 customers had been "compromised" in a data theft.
BA says the breach relates to bookings made between 10.58pm on August 21 and 9.45pm on September 5. It said no passport or travel details were compromised.
The police and relevant authorities have also been notified.
Some angry travellers complained to Britain's Press Association that they had already noted bogus activity on credit cards that had been used to make British Airways bookings during the time when the breach was undetected.
In the U.S., Delta Airlines said in April that payment-card information for several hundred thousand customers could have been exposed by a malware breach months earlier.
"Atrocious that I had to find out about this via news and twitter", he tweeted.
He said the company was "100% committed to compensate" customers.
"Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it".
Alex Cruz, British Airways' chairman and chief executive, said: "We are deeply sorry for the disruption that this criminal activity has caused".
"I asked repeatedly for an explanation".
The National Crime Agency said: "We are aware of reports of a data breach affecting British Airways and are working with partners to assess the best course of action".
BA apologised in July after technology issues caused dozens of its flights to and from London Heathrow Airport to be cancelled.
BA announced last month that it will halt flights to Tehran in September, citing low profitability as the United States reimposes sanctions on Iran.