Spanish banking group Globalcaja has confirmed that it has been hit by a ransomware attack carried out by the Play gang.
In a statement posted on Twitter, Globalcaja says it discovered the attack on "some local computers" on 1 June.
The Play ransomware group has taken credit, claiming on its Tor leak site that it has obtained sensitive and confidential information, including private client and employee data, documents, passports and contracts.
It is threatening to publish the data on 11 June unless Globalcaja pays up. The bank has not disclosed whether it has, or will, pay.
Globalcaja has more than 300 offices across Spain, with around 1000 employees serving nearly half a million customers.
It says that online banking and ATMs are operating as normal and it has activated security protocols, closing some offices and "temporarily limiting the performance of some operations".
"We continue to work hard to finish normalising the situation and analyse what happened, prioritising security at all times."
Ray Kelly, fellow at the Synopsys Software Integrity Group, says: "Organisations must remain hyper vigilant when it comes to securing their environment. Overlaying multiple cybersecurity techniques is the best chance of preventing a breach, using just one solution will not get the job done."