Hundreds of staff at mobile phone company Sure have had their bank details and other personal data stolen in a "targeted" phishing attack.
Current and former employees working for the telecoms firm on the Isle of Man, Guernsey and Jersey have been affected.
The data includes names, addresses, account numbers and sort codes.
A spokesman said "fewer than 400" people were affected but no existing customers' data had been accessed.
The company is one of the main mobile and broadband providers on the islands.
The firm said it was contacting those affected, which includes "suppliers", urging them to be "extra vigilant" and working with the islands' authorities.
The attack is thought to have come in via a staff email account, which has since been shut down."Human error" was partly to blame, the company said.
A spokesman said Sure could not confirm any information about "the location or individual" whose account was targeted, for "confidentiality and security purposes".
Sure has apologised and said it was "constantly reviewing" its training programmes.
The Isle of Man Information Commissioner's office said it had been informed of the attack and an investigation had been launched.