Name, email address, credit card details including (unbelievably) CVV.
My understanding is that by law, a CVV cannot be logged or stored in any way.
Obviously those responsible at BA did not carry out "due diligence" before awarding a contract to the outsourced IT company.
This could be the downfall of BA, not just because of the size of any fine imposed, but because of the loss of confidence of their customers. I, for one, won't be passing them any credit card details anytime soon.