In a statement, the ICO said the breach involved the diversion of user traffic from the BA site to a fraudulent site.
It said the personal data of nearly half a million customers was compromised and that login details, credit card numbers and booking particulars and addresses were all stolen.
British Airways disclosed that the financial and personal details of 380,000 customers had been stolen from its site between 21 August and 5 September.
Tech experts said later that the breach appeared to have been effected through a a cross-site scripting flaw.
British Information Commissioner Elizabeth Denham said: "People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
"That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The ICO statement said BA, which is owned by IAG, would have the chance to respond to the findings and proposed sanction.
"The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision," it added.