U.S. and U.K. cybersecurity officials said June 7 that a Russian cyber-extortion group known as Clop hacked a file-transfer program that is used by numerous big-name corporations and government agencies. The BBC, British Airways and the government of Nova Scotia were some of the first major entities involved in the data-theft attack.

The exploited program, called MOVEit, is used to securely share files. The parent company of its U.S. maker, Progress Software, alerted customers of the breach on May 31 and issued a patch to resolve the problem. However, cybersecurity researchers told the Associated Press that upwards of hundreds of companies may have had sensitive data stolen by that point.

Several other notable companies and entities confirmed they were part of the cyberattack including payroll service provider Zellis and the U.K. drugstore chain Boots.

The University of Rochester also issued a statement recently suggesting it had been a victim of the attacks, although a spokesperson for the school did not confirm that it used the MOVEit program or discuss what data was stolen.

According to Caitlin Condon, senior manager of security research for Rapid7, there are “undoubtedly” organizations that don’t even know yet that they have been affected by this hack.

“This is potentially one of the most significant breaches of recent years,” said Brett Callow, analyst at the Emsisoft cybersecurity firm. “We’ll have a better sense of how significant it is as more details emerge about the number and type of organizations impacted.”

The Clop ransomware group said in a June 6 post on its dark-web site that its victims had until June 14 to get in touch with the organization to negotiate a ransom or risk having stolen information posted online.

In a joint advisory issued June 7, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency estimated that Clop has compromised “more than 3,000 U.S.-based organizations and 8,000 global organizations” since the group first appeared in February 2019.