On GitHub, when you create a pull request (PR) from a branch, you are able to view commit history even if you close the PR and delete the branch. This means that if you have sensitive data on GitHub that should not be exposed, the data will still be shown there even if you make an extra commit to remove it.
What you need is not to make additional commits, but to modify the commits you made.
Solution 1 (easy): Remove commits and close the PR
keep the PR open and do not delete the branch
create a local back up branch in case you want to cherry-pick commits later on
switch to the branch of the PR that has the sensitive data
make a commit to delete the sensitive data if you have not
push the branch
find a previous commit of the commit that added the sensitive data and copy the commit hash
hard-reset
git reset --hard <commit-hash>
force push
git push -f
Solution 2 (advanced): Rewrite commits and keep the PR
create a local back up branch in case the branch is messed up
switch to the branch of the PR that has the sensitive data
make a commit to delete the sensitive data if you have not (this is for the sensitive data not to show on GitHub after force-pushing)
push the branch
rewrite commit history using
git rebase -i
force-push