There's reports surfacing that the malware concerned was injected into a third party's customer feedback code library that BA were using (carelessly) on their website. When your browser downloaded BA's page, that in turn would go fetch the code from the third party. The mistake BA made was to do that on payment pages too. Someone has hacked the third party, so BA were unwittingly bringing in the hacked code from there whilst also asking you for credit card details, etc. The hacked third party code, as part of the web page BA composed, is free to access any data being typed on the page by customers. Bingo!
BA's failure was to make their web security only as good as that of all the third parties they fetched code from. Ooops.
It's the equivalent of booking a ticket by phone, and the vendor letting someone eavesdrop on the conversation whilst you read out your card number without taking too much care to check who that someone actually was, is, or could be.
It now looks like it's popping up all over the Internet, so BA may well not be the last we hear of this.