I think I now may have the answer to my question. According to a report on BBC just now, it seems the hackers installed a bit of software into the BA web site which recorded the live data as it was being input by the customers. I had assumed, until then, that they had found their way into a BA database and downloaded it from that.
friartuck: Ticking T&C boxes would still not allow companies to hold your financial data for any length of time beyond the limits specified in the DP rules. Contact details would be a different issue and ticking boxes will allow them to hold stuff such as email contacts, location etc.