A water company targeted by hackers says the bank details of customers could have been accessed and potentially leaked on the dark web.
South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, said it had started informing customers involved.
The firm serves more than 1.7 million people, but has not revealed how many of those are affected.
It said it was liaising with the National Crime Agency.
The company, which caters for residential and business customers in Staffordshire, parts of the West Midlands and in and around Cambridge, was targeted on 16 August.
Names and addresses of account holders, together with the sort codes and account numbers used for Direct Debit payments all could have been accessed by hackers, it said.
It has issued an apology to those affected and said it was "still assessing the potential impact on customer data".
"Investigations like this are very complex and it takes time to understand what happened and then to analyse the data that could have been impacted," it said.
"As soon as we were aware that we needed to notify our customers in compliance with our legal obligations we began to do so."
South Staffordshire PLC has written to affected customers offering free access to a credit monitoring service for 12 months, which, it said, would alert them if any of their personal data had been compromised on the dark web.
Details of a dedicated helpline are also included.
The firm said it had experienced disruption to its corporate IT network, but its ability to supply safe water was unaffected.
Posting online at the time, a ransomware group had claimed it was possible to tamper with water supplies, however this was disputed by the water company.
Ransomware attacks involve criminals breaking into a network and stealing or blocking access to important files until a ransom payment is made.
"Consumers can have complete confidence that the water we supply is safe," said Andy Willicott, managing director of South Staffs Water.
"We understand that customers trust us to keep their data safe and I'd personally like to say sorry to all those customers impacted - we'll be doing what we can to support you through this."
One customer, posting on Twitter, said they were "absolutely dumbfounded" that the data had been breached.
"Why are we the customers expected to sign up for protection from further misuse of our data," they added.