Hackers breached file transfer software, MOVEit, which is widely used by corporate clients including by payroll provider, Zellis.
Russian hacking group, Clop, claimed responsibility for the attack.
The Clop group posted a notice on the dark web warning those affected by the MOVEit hack to email them before 14 June or stolen data will be published.
Staff’s stolen information includes dates of birth, national insurance numbers and home addresses.
The BBC has said it does not believe its employees’ bank account details were compromised.
However, staff at British Airways have been warned their bank details may have been stolen, according to aviation news website Simple Flying.
More about cyber security:
Oliver Willis, a partner at law firm BDB Pitmans, who specialises in data issues, said employer liability for the attack will depend on their security precautions.
Speaking to HR magazine, he said: “Employers have a duty to maintain appropriate security measures for the personal data they hold, but the law recognises that sometimes these attacks will succeed despite those measures.
“One of the precautions that the regulator and courts usually expect is that organisations apply security patches promptly when software developers release them.”
Progress Software, the company which created the MOVEit tool, said it alerted customers as soon as the hack was discovered and quickly released a downloadable security update.
The National Cyber Security Centre has urged businesses to apply this fix.
Willis said employers also need to report the breach, depending on the quantity and type of data stolen.
He said: “Employers whose data has been accessed by hackers exploiting the reported vulnerability need to decide whether to report the breach to the Information Commissioner’s Office and the affected employees.
“There is a duty to report the breach if it reaches a certain risk threshold, so the decision may differ from one employer to another. There is a 72-hour time limit for reporting breaches.”
Government figures published in March 2022 indicate almost four in every 10 employers (39%) reported at least one cyber attack in the previous 12 months, while fewer than 15% of the UK’s small and medium-sized enterprises have a standalone cyber insurance policy in place.
Steve Herbert, wellbeing and benefits director at Partners&, said cyber security is HR's responsibility and must be a priority.
He said: “Cyber security experts often point to the 'human element' as the inconsistency which – deliberately or accidentally – enables criminals to find an access route into their employer’s computer systems.
"And, although this latest attack doesn’t appear to be the result of employee actions, it has nevertheless led to the stealing of sensitive employee data as the ultimate objective of criminal activity.
"It follows that employees can be the catalyst for such an attack and/or the victims of it, and this makes cyber security very much an HR issue. HR experts may therefore need to become far more involved in implementing policies, procedures, and insurances to minimise these risks across their entire workforce.”
Matthew Clark, Partners&’s cyber director, said HRs need to be aware of its responsibilities in the event of a cyber attack. He said: "They may need to report breaches to the Information Commissioner, notify each data subject of the leak, and potentially pay significant levels of compensation. Employers are often required to also bear the cost of monitoring services to minimise fraud for those impacted by the breach.
“I would strongly encourage many more HR experts to consider the benefits of cyber insurance to protect both their employer and their employees.”