RiskIQ said the malicious script consisted of just 22 lines of code. It worked by grabbing data from BA's online payment form and then sending it to the hackers' server once a customer hit the "submit" button.
It may be a naive question, but if the offending script has been identified and examined, would it not contain pointers to the culprits' server that it had been sending the captured credit card details to ?