The Maze ransomware gang have started posting payment card data stolen during a breach at state-owned Banco de Costa Rica.
The hacking crew are understood to have gained access to BCR servers in February, encrypting data and stealing approximately four million unique payment card numbers.
The gang say they intend to release the stolen data in drip feed fashion, putting pressure on the bank to pay up a ransom demand.
In a message issued on 21 May, the Maze team states: "We apologies in front of all clients of Banco BCR and all those who were using its services for publishing your personal data. We regret that Banco BCR and regulators don't care about their clients and their personal data.
"Every week, one new base leaked from Banco BCR will be published."
Security researchers Cyble has verified the data leak, which consists of a 2GB CSV file containing details of various Mastercard and Visa credit cards or debit cards.