BA used to be described as a pension scheme that ran an airline. These days to run any modern, efficient company you need to be an IT company that runs an airline. The flying bit is old hat and much the same as when I was a despatcher and ops planner in the early 90s. The clever bit is selling the seats and handling the complexity of bookings, check-in, and third party sales (hotels, car-hire, fast-track security etc.) as efficiently and effectively as possible. Which takes a great in-house IT team that have loads of experience in an airline, not a mars bar factory. Outsourcing the IT is like outsourcing the aircraft, crews and customer service - but maybe that's what BA wants to do, while sitting on a valuable pile of slots. Maybe they should just close the whole lot down and lease the slots whith a couple of people collecting the money and passing it on to the pension fund and government taxes. When I worked there we joked that if we sold all the assets and invested the money the business would be far more profitable.
On the technical side of this breach it looks like BA is in breach of the Payment Card Industry rules (PCI DSS) by having multiple externally linked scripts running on the payment page where none are allowed. The hackers just injected another script that skimmed off the details (so I read from IT sources). This must make them liable for a huge Information Commissioner's Office fine under GDPR.