British Airways and retailer Boots said their staff were among those hit by a cyberattack on Zellis, a payroll provider used by hundreds of companies in Britain.
The BBC also suffered a data breach, it said.
British Airways, owned by IAG, said it had notified affected employees and was providing them with support.
“We have been informed that we are one of the companies impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit,” BA said in a statement on Monday.
Part of the Walgreens Boots Alliance, Boots said the attack had included some of its employees’ personal details.
“Our provider assured us that immediate steps were taken to disable the server,” Boots said.
Boots employs over 50,000 people in Britain, while British Airways has about 30,000 staff.
A BBC a spokesperson said: “We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach.”
“We take data security extremely seriously and are following the established reporting procedures.
The attack has been linked to a Russian cyber gang called Clop by experts, who suggest the group gained access through a backdoor in a file transfer software used by Zellis.
The software in question is called MOVEit and is owned by Progress Software.
US security researchers warned on Thursday hackers had stolen data from the systems of a number of users of the file transfer tool MOVEit Transferone one day after the maker of the software disclosed that a security flaw had been discovered.
The compromised data includes names, addresses and national insurance numbers, said the Daily Telegraph newspaper, which first reported which companies had been affected by the breach.