A privacy watchdog estimates that about 90 organizations have reported breaches involving personal data held by outsourcing giant Capita.
It was discovered that Capita had left a collection of data online unprotected after the company experienced a cyber attack in March of this year.
Currently, warnings are being sent to hundreds of thousands of people who may have been impacted by the hack.
Capita claims that it has taken measures to protect the data.
The privacy and data watchdog, the Information Commissioners Office (ICO), reported that about 90 organizations have spoken with it about Capita so far.
According to the ICO, "We are receiving a significant number of reports from organizations directly affected by these incidents, and we are currently conducting inquiries.".
Many public and private organizations rely on Capita, and they use them to manage millions of people's personal information.
Through Capita, which also serves councils as a client, many corporate pension plans manage payments.
Two problems are affecting Capita. The first was the cyberattack earlier this year, which was followed in May by the revelation that Capita had left a file repository online with no security measures in place.
Capita said in a statement: "We have taken significant steps to recover and secure the data, and we continue to closely collaborate with forensic experts, specialist advisers, and advisors to investigate the cyber incident. ".
The first incident, which security researcher Kevin Beaumont is "very confident" was a ransomware attack, was significant because of the variety of data that could have been at risk and exposed victims to fraud, he told the BBC.
Mr. Beaumont informed Capita of the second problem in April, but it wasn't made public until the following month. This problem left files online in an unsecured state.
While Capita initially told journalists it did not think personal data was at risk, a number of councils have stated they do.
The ICO advises businesses to check to see if any of the personal information they have on file has been impacted by the attack or the exposed data.
The term "personal data" refers to information about a specific person or that could be used to identify a person, such as a name or an address.
If a personal data breach is discovered, organizations are required to notify the ICO within 72 hours, unless there is no risk to the rights and freedoms of individuals.
The March cyberattack targeted several pension funds that use the Hartlink system from Capita.
In a letter sent earlier this month, The Pensions Regulator (TPP) urged more than 300 pension funds to determine whether the attack had exposed any of their data to risk.
The main university pension fund in the UK, the Universities Superannuation Scheme (USS), is in the process of writing to all 500,000 of its members to let them know their data was in danger.
The BBC obtained a copy of the letter and it alerts recipients that "some of your personal information was held on Capita computer servers accessed earlier this year.".
In the letter, the hackers claim to have "accessed and/or copied" personal information such as "your title, initial(s), and name, your date of birth, your National Insurance number, your USS member number, and your retirement date.".
It stated that recipients have access to a service run by credit score provider Experian for a full year in order to "detect possible misuse of your personal data.".
Senior researcher at Cambridge University Dr. Eleanor Drage was among those who got a letter of warning.
I have my entire career ahead of me, and my personal and pension information is now permanently in the public domain, the woman said. ".
She expressed concern that the information might be linked to other records about her and claimed that the offer of the Experian service was "not a resolution, it's an insult.".
She continued by saying that some of her academic peers had been debating possibly filing a lawsuit in response to what had occurred.
According to Capita, "We have moved swiftly to provide our clients with information, reassurance, and support, while delivering for them as a business," according to the BBC.
"We will do so if necessary to offer those affected by our actions additional support. " .
According to the statement, the second incident's online data exposure was "secure and no longer accessible, and our investigations into this matter are ongoing.
. "
