Here is an explanation of the BA breach from just after it was discovered: Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims
* the cracked library was years out of date.
* the crackers managed access and write permission.
The attack was basically at a script kiddie level, this was not some sophisticated 1337 h4x0r sophisticated crack. Put simply BA was, in web payment security terms, grossly negligent. And, as we know from previous fines for egregious PII breaches over the years they were simply received as a cost of doing business. Making the cost hurt may just make the recipient as well as others treat security as as a necessary requirement and not a joke.
However, as BA has said they will appeal I expect the fine will be rolled back 'in the national interest' or similar and impetus for change will dissipate once again. That said: good on you, Elizabeth Denham (ICO Commissioner), good on you.
Call me a conspiracy theorist, but I am sure that countries like the USA, China, and Russia, have the technologies and resources to track down hackers. I don't believe that hackers are smarter than the intelligences of these countries...
Over time, yes but it takes a lot of effort and can be impossible in each specific instance if the cracker knows what they are doing. Eventually usually a mistake is made in a given instance (EG: if there is a 1% chance of being caught and one doesn't stop...) and code fingerprints tie back to other cracks.
Then, while the cracker may be 'identified' it may be an alias and not a true identity.
Also, the cracker may be currently jurisdictionally untouchable unless travels to where 'gettable' and law enforcement is aware.
And lastly, governments are motivated by national security and politics - a strictly business crack is rarely seen as either.