Myanmar AYA Bank has acknowledged that a legacy application portal used by the bank was the source of a data breach involving certain non-financial application records.
In a statement, the bank said the affected portal was not directly connected to its core banking system, AYA Pay platform or card management system. It added that its financial infrastructure, including AYA Pay, internet banking and mobile banking services, had not been compromised and that customers’ financial data remains secure.
The bank’s explanation, however, contrasts sharply with claims made by a hacking group, which alleges it obtained approximately 120 gigabytes of data from AYA Bank’s core systems.
“They say the core banking system wasn’t breached, but the information has already been leaked,” one AYA Bank customer told New Day Myanmar. “This concerns data relating to bank users. The issue cannot simply be explained away. The bank needs to provide a full and transparent account because no one knows how extensive the impact may be.”
Another customer, commenting beneath the bank’s statement, questioned the bank’s response.
“If the application portal was compromised, that means the unique identification data of everyone who submitted applications may have been exposed. Many people use their birth date or phone number as passwords, and application forms require extensive personal information. Instead of downplaying the incident, the bank should clearly explain what preventive and protective measures customers need to take,” the customer wrote.
AYA Bank’s acknowledgement came after a hacking group operating under the name LAPSUS$ GROUP claimed it had obtained the bank’s data.
On June 24, cyber threat monitoring platform Dark Web Informer reported that AYA Bank had been listed as a target of the group.
The hackers claim they possess around 120 GB of compressed data, including personally identifiable information (PII) and files allegedly extracted from the bank’s internal systems. They have threatened to sell the data to a single buyer beginning on July 8 unless the bank enters negotiations.
The group has not publicly released the alleged dataset. Instead, it has published screenshots showing a file tree containing filenames and directory structures.
Among the filenames displayed are all_cards_v6.csv, credit_cards.csv, visa_cards.csv and customer_payments_success.csv, which appear to relate to payment records and card information.
A cybersecurity expert who examined the published file tree told New Day Myanmar that it also included filenames such as Approved Credit Card Payroll list.xlsx, which may be linked to employee payroll processing, as well as files that appear to contain branch information and transaction records.
“From a cybersecurity perspective, simply telling customers that services remain safe after personal data has been exposed is not a sufficient response,” the expert said. “What matters is what additional security measures have been implemented and how the leaked information will be contained and addressed.”
AYA Bank has not disclosed what categories of data were compromised, how many customers may have been affected, or whether names, phone numbers, national registration details or residential addresses were included in the breach.
Cybersecurity experts warn that even if customers’ bank accounts are not immediately at risk, exposed personal information could be used in targeted phishing campaigns, identity fraud and scams involving criminals impersonating bank employees.
Customers are advised never to disclose one-time passwords (OTPs), passwords, PINs or CVV numbers to anyone, avoid clicking on suspicious links, and contact the bank immediately if they detect any unauthorized transfers or card transactions.
