Colchester City Council is investigating what it is calling a “serious data breach” involving the outsourcing contractor Capita.
The council launched a probe into the incident on Monday, saying that Capita failed to safely store personal data.
On Wednesday, it said that data relating to benefits people were receiving was being stored in an insecure way by the firm.
The BBC has approached Capita for comment.
The council said the firm told them it was looking into the issue and had currently seen no evidence that the historic benefits data, relating to the 2019-20 and 2020-21 financial years, had been used maliciously.
At the start of May, the UK’s Pension Regulator urged hundreds of pension funds to check if client data may have been compromised after Capita was the target of a suspected ransomware attack.
Capita said at the time its investigation suggested the cyber-incident occurred as a result of unauthorised access to its systems.
In an update posted on its website on 10 May, the firm said it had interrupted the attack and “significantly restricted” its impact, so only some data was extracted from “less than 0.1% of its server estate”.
It said it had taken steps to recover and secure affected data and was working with necessary regulators, customers and suppliers to alert those affected.
Following reports of a second breach involving unsecured Amazon data in early May, a Capita spokesperson told the website TechCrunch this contained “information such as release notes and user guides, which are routinely published alongside software releases in line with standard industry practice”.
Richard Block, chief operating officer of Colchester City Council, said: “The privacy and security of personal information is paramount, and we are extremely disappointed that such a serious data breach by one of our contractors has occurred.”
He said it was “unacceptable” that the firm had failed to meet data protection standards for safely handling sensitive information.
Mr Block added that while Capita had assured the council that personal bank account details had not been compromised, he understood the breach would still cause concern.
“We expect a full explanation and remedy from the company and for them to apologise directly to those affected,” he said.
The firm is used by many UK organisations, councils and authorities, including the NHS and UK government, to carry out a range of IT and financial services.