I don't think a company in the UK could  legally do that - the employee designates where his pay is deposited (subject to court orders, and maybe to regulations issued by the Inland Revenue Service), not the company.
As for security, yes I have an 8 digit account number.  However,  it doesn't help anyone hack into my account.   To do that they need to have possession of my debit card, know my online scheme membership number, have a one-off password construction device programmed to match the security at the bank's end, and know my PIN for my debit card in order to get the device to construct a one-time password (it incorporates a card interface and requires pin input that the card verifies).  I thought that similar leve lof security as operated now by all UK banks, and would be surprised to find poor online banking security anywhere in within the EU or indeed in India or Lebanon (don't know about the rest of the world, haven't spent enough time there).