Morrisons says the majority of its staff have been affected by the theft of payroll data.
BBC business correspondent Emma Simpson has been told that details of around 100,000 employees have been stolen.
The information, which includes bank account details, has been published online and sent on a disc to a newspaper, according to the firm.
Morrisons said its initial investigation does not point to the work of an outside hacker.
The Bradford-based chain sought to allay shoppers' fears by saying there had been no loss of customer data.
Morrisons says that staff will be not be "financially disadvantaged" by the data theft.
The company's response is being led by Chief Executive, Dalton Philips.
He is working with the police and cyber crime authorities to track down the source.
The criminal inquiry into the theft is being led by West Yorkshire Police.
Detective Chief Inspector Nick Wallen said: "We are aware of the situation and are supporting Morrisons and their investigation into these matters."
The firm is also undertaking an urgent review of its internal data security systems and it has set up a helpline for its staff.
Morrisons has told UK banks about the data loss and is working with them to help colleagues protect their accounts.
A spokesman for the company said the situation "remains fluid" as the investigation, which started last night, is "ongoing".
Morrisons put a message on Facebook this morning informing its employees of the breach and telling them what steps it is taking to limit the damage.
Staff have responded with a mixture of questions about what they should do next, and comments, some of which are angry.
The company found out about the theft on Thursday just after it had reported a £176m loss, and warned that profits in the coming year would be less than £375m, about half the level of last year's.
Shares in the company fell by more than 10% after that warning over profits on Thursday.
Guy Bunker, chief technical officer at cyber protection company, Clearswift, said that the security lapse at Morrisons proves that organisations have to be aware of internal security threats.
"It is a real problem. There are more challenges from within than without. People need to look at where they're spending their money and what they're spending on internal security protection
"You can't ignore the enemy within," he said.
The European Parliament has just approved a draft data protection law, which, if it were enacted, would mean that companies could be fined 5% of their global turnover in the event of a serious data breach.
The proposed changes are opposed by some large American and European companies.