One of Myanmar’s largest private banks has acknowledged a cyberattack on its digital infrastructure, though it maintains that its core financial networks remain secure after an international extortion group claimed a massive data breach.

The hacking group, calling itself LAPSUS$, claimed on June 23 to have stolen more than 120 gigabytes of data from AYA Bank. The group threatened to publish the compromised information on the dark web by July 8 unless a ransom is paid.

In a statement posted to its official Facebook page, AYA Bank admitted that an application portal had been breached, exposing some customer information. However, the bank stated the vulnerability was limited to an older portal and did not compromise its vital financial operations.

“The affected portal was not directly connected to our Core Banking System, AYA Pay, or card systems,” the bank said, adding that customers could continue using internet and mobile banking services normally.

The financial institution noted it has since heightened its cybersecurity measures and apologized to its clientele, while insisting that core financial data remains secure. As of June 25, AYA Bank had not publicly addressed the specific size of the data haul claimed by the hackers or the ransom demand.

The extortion claim was detected by independent cybersecurity tracking platforms, including Ransomware.live and RedPacket Security, which monitor dark web leak sites. According to postings cataloged by those platforms, LAPSUS$ claims the stolen dataset includes personally identifiable customer information taken directly from the bank’s main platform.

The monitoring platforms noted they had only indexed the hackers’ public assertions and have not independently verified the authenticity or the exact origin of the stolen data.

LAPSUS$ has a history of high-profile cyber-extortion, having previously claimed responsibility for disruptive digital attacks on major global technology firms, including Microsoft, Nvidia, Samsung, and Uber.