IAG's share price had fallen 3.8% from yesterday's close as of 12:30 UK time today, after subsidiary British Airways disclosed the theft of customer data from its website and mobile app.
The breach is being investigated "as a matter of urgency", says BA.
"We are deeply sorry for the disruption that this criminal activity has caused," states chief executive Alex Cruz.
Personal and financial details of customers who made made bookings on ba.com and the app were "compromised" between 22:58 UK time on 21 August and 21:45 on 5 September, the airline specifies. That window spans around 380,000 transactions.
BA stresses that "the breach has been resolved" and that the stolen data did not include travel or passport details.
Police and "relevant authorities" have been notified, says the airline. The UK's Information Commissioner's Office confirms that it is "making enquiries" after BA "made us aware of an incident", while the National Crime Agency says it is "working with partners to assess the best course of action".
BA is advising affected customers – with whom it is communicating – to contact their banks or credit-card providers.
"We take the protection of our customers' data very seriously," adds Cruz.