Alex Cruz told the BBC that hackers carried out a “sophisticated, malicious criminal attack” on its website.
The airline said personal and financial details of customers making bookings had been compromised.
About 380,000 transactions were affected, but the stolen data did not include travel or passport details.
BA said the breach took place between 22:58 BST on 21 August and 21:45 BST on 5 September.
“The breach has been resolved and our website is working normally,” BA said in a statement
“We have notified the police and relevant authorities. We take the protection of our customers’ data very seriously.”
BA said all customers affected by the breach had been contacted on Thursday night. The breach only affects those people who bought tickets during the timeframe provided by BA, and not on other occasions.
Mr Cruz added: “At the moment, our number one purpose is contacting those customers that made those transactions to make sure they contact their credit card bank providers so they can follow their instructions on how to manage that breach of data.”
Mr Cruz said that BA has a network of partners that monitor websites around the world. The cyber-attack was first discovered on the evening of Wednesday, 5 September, when a partner alerted the airline, which began investigating overnight to identify just how serious the attack was.
“The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.”
The airline has taken out adverts apologising for the breach in Friday’s newspapers.
The company could potentially face fines from the Information Commissioner’s Office, which is looking into the breach.
Shares in BA owner IAG fell by 3.1% in early trade on Friday.
The National Crime Agency and National Cyber Security Centre confirmed they were assessing the incident.
Consumer group Which? said people concerned they could be at risk should consider changing their online passwords, monitor bank and other online accounts and be wary that fraudsters may refer to the breach in scam emails.
Meanwhile, BA customers expressed their frustration with the airline on social media.
Mat Thomas said he placed a booking on 27 August, but had not been contacted about the breach.
“Atrocious that I had to find out about this via news and twitter,” he tweeted.
“Called bank and had to cancel both mine and my wife’s card. Probably won’t get it back before we fly (ironically).”
Gemma Theobald tweeted: “My bank… are experiencing extremely high call volumes due to this breach! Couldn’t do anything other than cancel my card… not how I wanted to spend my Thursday evening.”
This is not the first customer relations problem to affect the airline in recent times.
In July, BA apologised after IT issues caused dozens of flights in and out of Heathrow Airport to be cancelled.
A number of short-haul flights were cancelled after an incident involving a “supplier IT system”.
The month before, more than 2,000 BA passengers had their tickets cancelled because the prices were too cheap.
BA apologised for the error on flights to Tel Aviv and Dubai, but customers said they were angry their tickets were not being honoured.
And in May 2017, serious problems with British Airways’ IT systems led to thousands of passengers having their plans disrupted, after all flights from Heathrow and Gatwick were cancelled.
“It does not indicate that the information systems are the most robust in the airline industry,” Simon Calder, travel editor at the Independent, told the BBC.
However, he does not think that BA will be impacted in the long term by the breach.
“The airline has immense strength. Notably it’s holding a majority of slots at Heathrow, and an enviable safety record, so while this is embarrassing and will potentially cost tens of millions of pounds to resolve, it’s more like another flesh wound for BA, rather than anything serious,” he said.
Please include a contact number if you are willing to speak to a BBC journalist. You can also contact us in the following ways: