Southern Water has warned that data belonging to 5-10% of its customers has been stolen in a cyber attack.
In an email to customers on Tuesday, the firm said personal details and financial information may have been stolen for sale on the dark web.
The company provides water services across Kent, Sussex, Hampshire and the Isle of Wight.
It apologised and said it had contacted regulators and was working with cybersecurity experts.
Southern Water provides essential water services to 2.5 million customers and wastewater services to more than 4.7 million customers.
In an email to customers seen by the BBC, it said data including names, dates of birth, national insurance numbers, bank account details and reference numbers could have been stolen.
The company said it had been monitoring suspicious activity in its IT Systems since it was named on a Cyber Crime website last month.
In a statement the company said: “Based on our forensic investigations so far, which are ongoing, we are planning to notify in the order of 5 to 10% of our customer base to let them know that their personal data has been impacted. We are also notifying all of our current employees and some former employees.
“We have engaged leading independent cybersecurity experts to monitor the ‘dark web’. We take data protection and information security very seriously and, in accordance with our regulatory obligations, we are making contact with anyone whose personal data may be at risk.”
It added that services and water supplies had not been affected.
The Information Commissioner’s Office (ICO) said it had received a report about the incident and was investigating.
It added: “Our advice to the public remains that if anyone is concerned about how their data has been handled or they are concerned about a potential breach, they should get in touch with the ICO.”