LONDON (AP) — Britain’s cybersecurity agency on Wednesday urged companies to be vigilant after the BBC, British Airways and other firms said their employees’ personal details may have been compromised in a software hack.

The companies were the first major victims after hackers successfully breached a popular file transfer software called MOVEit. The Clop ransomware group, thought to be based in Russia, has threatened on its dark web site that stolen data, including personal details such as names and home addresses, could be published.

“We are working to fully understand the U.K. impact following reports of a critical vulnerability affecting MOVEit Transfer software being exploited,” Britain’s National Cyber Security Center said in a statement.

“The NCSC strongly encourages organisations to take immediate action by following vendor best practice advice and applying the recommended security updates,” it added.

MOVEit is a program widely used by businesses to securely share files online. Zellis, a leading payroll services provider in the U.K. that works with British Airways and hundreds of others, was one of its users. Zellis said Monday a “small number” of its customers have been affected by the breach.

It is thought that hackers broke into the software and used that to get into the databases of potentially hundreds of other companies.

“This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool,” British Airways said in a statement. “We have notified those colleagues whose personal information has been compromised to provide support and advice.”

Drugstore chain Boots, which employs more than 50,000 people, also said it has made staff aware of the breach.

BA and Zellis said they have reported the incident to Britain’s Information Commissioner’s Office.