Age UK estimates that as many as 5,000 current and former staff members might have been affected by two separate data breaches at the charity.
The older people’s charity has written to staff warning them that their data might have been exposed in two recent "unrelated data security incidents" and the Information Commissioner’s Office has opened an investigation into the charity.
The Charity Commission said it had also been in touch with Age UK about the breaches.
A spokeswoman for the charity said the breaches affected all staff who had been employed by the charity between January 2013 and March 2017, including those who had now left the organisation.
The charity currently employs 1,548 people, but in 2014 there were as many as 1,934.
The spokeswoman told Third Sector that the charity thought between 4,000 and 5,000 people might have been affected, but it was still trying to establish the precise number.
She said the information did not include employees’ bank details or passwords and the charity was not aware that the data had been misused by anyone.
Age UK said it had reported the breaches to the relevant authorities.
A Charity Commission spokeswoman said: "The commission is aware of an incident involving employees’ personal data at Age UK.
"Following data protection law is a critical compliance area for any charity that handles personal information, and the commission has issued alerts to advise trustees on this."
She said the ICO would lead any regulatory engagement on the issue.
But she added: "We are in contact with the charity and are assessing information provided to establish whether trustees have met their legal duties and if there is a further regulatory role for us."
An ICO spokeswoman said: "We are investigating an incident involving Age UK. We understand the organisation is informing staff if they have been affected.
"There are measures people can take to guard against identity theft, such as being vigilant about items on their credit card statements or checking their credit ratings. There are more tips and information on our website."
The Age UK spokeswoman said the charity had offered to pay for affected staff to have two years’ Cifas protective registration, which provides extra checks whenever the data is used to ensure it is not being used by fraudsters.
Cifas protection costs £20 for two years, which means this could cost the charity as much as £100,000 if all the estimated 5,000 staff take up the offer.
The Age UK spokeswoman said: "We take any threat to data security very seriously and we have acted as swiftly and thoroughly as possible to reinforce our defences.
"We have informed all individuals affected and the relevant authorities and set up a helpline for any staff wanting more support or information."