It was stolen via JavaScript injected on the payment page, not from having stored data exfiltrated. This writeup calls it "digital card skimming", which seems to be a good analogy for the attack: https://www.riskiq.com/blog/labs/magecart-british-airways-br...