In an update to its 6 September advisory about the theft of credentials from its website payment page, BA said the car numbers, expiry date and CVV numbers of customers making reward bookings between 21 April and 28 July could have leaked.
A further 108,000 also saw their payment details, without CVV, "potentially compromised" during the incident.
"Since our announcement on 6 September regarding the theft of our customers’ data, British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft," the airline said in a statement.
"We are updating customers today with further information as we conclude our internal investigation."
It also said that of the 380,000 payment cards initially suspected to be affected, investigations had found that 244,000 had been affected. No cases of fraud had yet been reported.
The airline, which ranks eighth worldwide in terms of passenger-kilometres flown by individual carriers, said in its initial report the stolen data did not include passport or travel details.
Five days after the incident report, the security firm RiskIQ claimed that the breach was carried out by a group known as Magecart which was also responsible for infiltrating the Ticketmaster UK website earlier this year.
RiskIQ's Yonathan Klijnsma said in a blog post that the BA report on the breach had mentioned the theft of customer data directly from payment forms and this was why his company had suspected Magecart.