I have a BA Amex and I make bookings every week with BA. I just phoned the BA Amex card number (from India, where I am now) and there's a recorded message "We are aware blah....you are not liable blah....there is no need to take any action at this time".
So no panic from them, it seems.
My previous booking (in the time frame) was done on ba.com whilst logged in and I used my saved card details, just having to enter my CVV. I wonder if that helped or not, given that I didn't have to actually key in a bunch of stuff? Depends where the malware was plonked, I guess.