The gang thought to have carried out a cyber attack on companies including BA and Boots has given victims a deadline to negotiate or have the hacked information published online.
The suspected Russian group Clop, which claimed responsibility for the attack, issued the notice on the dark web to victims of the MOVEit software hack.
Personal data of more than 100,000 employees was accessed in the attack, including bank and contact details.
In a dark web blog post, Clop told victims to email and negotiate with the group by 14 June, the BBC reported.
The BBC itself was impacted by the attack, as was airline Aer Lingus.
More victims have emerged, including the University of Rochester in New York. The government of Nova Scotia in Canada also said it was subjected to the attack.
Clop has reportedly claimed it has deleted any data from government, city or police services, saying: “Do not worry, we erased your data you do not need to contact us. We have no interest to expose such information.”
Payroll software company Zellis – which used the MOVEit software that resulted in BA, BBC and Aer Lingus staff having their data accessed – said eight of its customers were hit but did not name them.
Other Zellis customers include Jaguar Land Rover, Harrods and Dyson.
Potentially hundreds of companies using the popular MOVEit business software may be impacted.
Origins of cyber attack ‘appear to have Russian links’ – analysis
A weak link in MOVEit code – a so-called zero day vulnerability – enabled hackers to access its servers and the personal and financial data of employees.
The group’s motivations are unclear so far. It claimed responsibility in an email to Reuters news agency on Monday.
A MOVEit spokesperson said: “Our customers have been, and will always be, our top priority. When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps.”
They added: “We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures. We have engaged with federal law enforcement and other agencies with respect to the vulnerability.”