brand logo
High price of digital negligence

High price of digital negligence

13 Jul 2026



The recent US $ 2.5 million cyber fraud that disrupted the Government’s foreign debt repayment process is a clear warning. As the Committee on Public Finance (COPF) recently highlighted in Parliament, this multi-million-dollar theft was not the work of an unstoppable cybercriminal mastermind. Instead, it was the result of systemic governance failures, institutional friction, and an almost casual disregard for basic digital hygiene across our highest financial offices.

The details of the breach read like a manual on how not to manage State finances. While the Ministry of Finance and the Central Bank of Sri Lanka (CBSL) engaged in a protracted blame game over legal mandates, the actual vulnerabilities were embarrassingly simple. The External Resources Department was operating on a decade-old email server, completely isolated from modern, centralised IT platforms. Major debt repayments were being authorised by a single director without an independent secondary review, and vast public funds were transferred based on email instructions without anyone checking the invoices against signed loan agreements. Even when the Central Bank flagged a transaction to the United Arab Emirates as a potential money laundering concern, the warning simply dissolved into the bureaucratic ether of the Treasury.

This incident exposes a dangerous structural reality: Sri Lanka is rapidly digitizing its State architecture without building the defences necessary to protect it. While the country scores well on paper in international cybersecurity indices due to progressive legislation like the Personal Data Protection Act, our operational reality is deeply flawed. We are excellent at drafting policies but terribly weak at enforcing them.

This operational failure becomes terrifying when viewed alongside the aggressive expansion of the Anti-Corruption Act. Under this mandate, thousands of public officials, judges, and State executives are now required to submit exhaustive declarations of their assets and liabilities. The newly centralised electronic database managed by the anti-corruption commission requires individuals to upload incredibly sensitive data, including National Identity Card numbers, bank account details, exact asset valuations, and the financial footprints of their immediate families.

By gathering the intimate financial lives of every State decision-maker into a single digital repository, the Government has effectively created the ultimate honeypot for malicious actors. In physical, paper-based systems, a criminal would have to break into hundreds of separate offices to piece this information together. Today, a single unpatched server vulnerability or a well-placed phishing email could give hackers the keys to the entire kingdom.

The consequences of a breach at this scale would extend far beyond simple financial loss. If this registry is compromised, the data will not just sit on a hacker forum; it will be weaponised. With exact bank details and net-worth profiles in hand, cybercriminals can orchestrate highly targeted extortion campaigns against public officials. More alarmingly, foreign entities or domestic criminal syndicates could use this intelligence to blackmail State officials, turning personal financial vulnerabilities into severe threats to national security.

We cannot afford to treat cybersecurity as a minor technical issue relegated to poorly funded IT departments. It is a core pillar of national sovereignty and institutional integrity. The Government cannot in good conscience demand that thousands of citizens hand over their most sensitive personal data while it simultaneously fails to protect its own basic email communication during a critical debt restructuring process.

Moving forward, the Government must take immediate, concrete action. The financial regulations that govern public sector transactions, which have remained largely unchanged since 1992, must be comprehensively overhauled to reflect the digital age. Independent, rigorous penetration testing and continuous vulnerability scanning must become mandatory for every state database, especially those housing citizen data. Most importantly, the culture of single-sign-offs and unchecked email instructions for high-value transactions must end immediately.

The USD 2.5 million theft was a costly lesson, but it will look like a minor incident if the national asset registry is breached. Transparency and anti-corruption measures are vital for our economic recovery, but implementing them without ironclad digital defences is an act of extreme recklessness. It is time for the Government to stop the inter-agency finger-pointing, acknowledge its systemic vulnerabilities, and treat cybersecurity with the urgency it desperately demands.


More News..