Myanmar’s AYA Bank hit by cyberattack claim

Yangon – 25 June 2026. One of Myanmar’s largest private banks has confirmed a cyberattack on its systems after an international hacking group claimed to have stolen vast amounts of customer data.

The group, known as LAPSUS$, announced on 23 June that it had taken more than 120 gigabytes of data from AYA Bank and threatened to publish the information on the dark web by 8 July unless a ransom is paid.

In a statement posted to Facebook, AYA Bank admitted that an older application portal had been breached, exposing some customer details. However, it stressed that its core banking system, AYA Pay, and card services were unaffected, and customers could continue using online and mobile banking as normal.

“The affected portal was not directly connected to our Core Banking System,” the bank said, adding that it had strengthened its cybersecurity measures and apologised to clients.

Independent monitoring platforms, including Ransomware.live and RedPacket Security, catalogued the hackers’ claims but noted they had not verified the authenticity of the stolen data.

LAPSUS$ has a record of high‑profile cyber‑extortion, previously targeting global technology giants such as Microsoft, Nvidia, Samsung and Uber.

As of 25 June, AYA Bank had not commented on the size of the alleged data haul or the ransom demand. The incident underscores growing concerns about digital security in Myanmar’s financial sector, where cyberattacks are becoming increasingly sophisticated.

-2026-06-26