“We have been informed that we are one of the companies impacted by Zellis's cybersecurity incident which occurred via one of their third-party suppliers called MOVEit,” said BA, owned by IAG.
Boots has more than 50,000 workers in Britain and the BBC employs more than 20,000. Neither organisation has said how many people's data has been obtained.
US security researchers warned last Thursday that hackers had stolen data from the systems of a number of MOVEit users.
The maker of the software also said a security flaw had been discovered last week.
The compromised data includes names, addresses and National Insurance numbers, according to British media reports.
Boots, part of the Walgreens Boots Alliance, also said the attack had included some of its employees' personal details.
“Our provider assured us that immediate steps were taken to disable the server,” said Boots.
Zellis has confirmed that eight of its clients were affected by the attack, without identifying them.
The BBC confirmed it had been affected by the attack on Zellis. A representative said the broadcaster was urgently trying to establish the extent of the data breach.
Zellis said in a statement: "We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.
"Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring.
"We employ robust security processes across all of our services and they all continue to run as normal."
The data theft is the latest in a string of technology problems afflicting British Airways.
Last month, a computer issue led to the cancellation hundreds of flights.
IAG group chief executive Luis Gallego said earlier on Monday that the tech problems were fixable “but it’s going to take time”.
The group is investing huge amounts in its tech infrastructure, Mr Gallego said at the annual International Air Transport Association general meeting in Istanbul.
In 2017 there was a major computer system failure that stranded 75,000 passengers over a bank holiday weekend, causing a public relations disaster and pledges from the company that it would do better in future.