• Finance Ministry fund diversion and dark web data sale trigger alarm over cyber readiness
• Critics demand accountability as Treasury payment vanishes; officials face suspension
• Experts warn underpaid staff and legacy systems leave State vulnerable to sophisticated attacks
• Govt. promises 24/7 cyber monitoring centre, new Cyber Security Authority after twin shocks
• Questions mount over ability to protect public money and citizen data amid digitisation push

Sri Lanka’s digital infrastructure and financial security are currently under intense scrutiny following two significant cyber incidents that have exposed vulnerabilities within the State apparatus.

The first involves a highly sophisticated cyber heist resulting in the misdirection of $ 2.5 million in Treasury funds, initially intended for foreign debt repayment.

The second incident revolves around the alleged breach and subsequent sale of data belonging to the Ministry of Public Administration on the dark web.

Together, these events have sparked widespread debate over institutional capacity, the urgent need for skilled personnel in Government, and the overall readiness of the nation to secure its critical national information infrastructure amidst ongoing digitisation efforts.

The Treasury cyber heist

The loss of $ 2.5 million from the Ministry of Finance due to a breach by suspected hackers has rung alarm bells again about the cybersecurity of State institutions. This is the latest in a string of cybersecurity failures that have shown the State’s digital infrastructure to be porous and weak.

Between December 2025 and January 2026, the Treasury had attempted to process a payment forming part of a larger $ 22.9 million loan repayment. Instead of reaching the intended recipient, the funds had been intercepted and diverted to a third party.

An official press release from the Ministry of Finance, Planning and Economic Development confirmed the breach, stating: “The ministry has already lodged complaints with law enforcement agencies and other relevant institutions regarding the theft committed by cyber hackers who breached the computer system of the External Resources Department. Based on identified information relating to a foreign currency payment in January 2026, the ministry informed the Sri Lanka Computer Emergency Readiness Team (SLCERT) and the Computer Crime Investigation Division of the Sri Lanka Police.”

The ministry further confirmed that complaints had been subsequently lodged with the Criminal Investigation Department (CID) and the Financial Intelligence Unit of the Central Bank of Sri Lanka (CBSL). An internal inquiry has led to disciplinary actions against several officials, though the ministry noted it was withholding further updates to avoid disrupting the ongoing investigations.

Deputy Minister of Finance Dr. Anil Jayantha Fernando provided some clarity on how the fraud was uncovered, revealing that the hackers responsible for intercepting the funds intended for the Australian Export Finance Agency had also attempted to divert a separate payment intended for India.

“The fraud came to light after they attempted to obtain funds to be sent to India. A suspicion arose due to the constant change of the account numbers connected to the payments. A lengthy investigation was carried out, which traced the debt repayment since the debt restructuring process, and the alleged financial theft by the hackers associated with the payment to the Australian Export Finance Agency was revealed through the probe,” Dr. Fernando explained.

He also defended the Government’s initial silence on the matter, noting that the primary goal was to capture the perpetrators and recover the funds, and that leaking sensitive operational details would have indirectly assisted the hackers.

In response to the Australian connection, the Australian High Commission in Colombo, in a social media statement, stated that it was actively assisting Sri Lankan authorities with the investigation while remaining committed to supporting Sri Lanka’s debt sustainability.

Despite the confirmation of unauthorised access by the Ministry of Finance, Deputy Minister of Digital Economy Eranga Weeraratne offered a nuanced perspective and attempted to downplay the breach of the State coffers.

“There is no hack in the Finance Ministry. Based on the investigation done so far, we cannot find any system hack as of now. There is no email hacking or anything similar that has occurred. However, we have to find out how this impersonation of a legitimate company by a foreign party took place. We have to see who executed that and what methods were used, and the investigation into that aspect is currently ongoing,” Weeraratne claimed. 

Demands for accountability 

The suspension of lower-level IT staff and departmental directors has not satisfied critics, who argue that a transaction of $ 2.5 million could not bypass high-level authorisation without severe systemic failure or complicity.

Politician and Attorney-at-Law Premnath C. Dolawatte, who is also the Convener of the Truth Seekers Movement, lodged a formal complaint with the Inspector General of Police. He demanded an independent investigation, arguing that transactions of such magnitude required the involvement of senior officials, including the Deputy Treasury Secretary, the Treasury Secretary, and the relevant political authorities. 

Dolawatte stressed that an internal technical committee was entirely insufficient to conduct a comprehensive probe into an irregularity of this scale.

Echoing these demands, the Free Lawyers collective opened the lid on this particular can of worms about State accountability by submitting a letter to the Speaker of Parliament requesting a formal parliamentary investigation into the cyber incident. 

The collective noted that while two Deputy Directors, two Directors, and the Head of the IT Division had been suspended, the ultimate responsibility for foreign debt management lay with the External Resources Department and the Public Debt Management Office (PDMO). 

It emphasised that executing such a massive payment was impossible without the mandatory authorisation of the Deputy Treasury Secretary and the Treasury Secretary, reminding the Speaker that Parliament held ultimate constitutional responsibility for public finance.

Systemic flaws and the capacity deficit

Beyond the immediate criminal investigations, the cyber heist has exposed severe capacity limitations within the State’s financial management sector. Experts pointed out that the inability to detect the fraud early was a direct result of relying on underpaid, underqualified staff to manage complex global financial operations.

Economist Umesh Moramudali highlighted this critical flaw, drawing attention to the staffing quality at the PDMO. 

“The PDMO has a huge capacity issue, and the recent misdirection of $ 2.5 million is a direct reflection of that. It needs a salary scale similar to the CBSL so that it can hire professionals and skilled individuals to handle debt management. This matter was raised multiple times before, but the Government chose to ignore it.”

He warned that failing to attract competent labour directly weakened the State: “You cannot build State capacity without attracting highly competent and skilled labour. Such talent does not come cheap. The longer we deny this reality, the weaker the State becomes, and the more losses it causes.

“At the very least, the Government must restructure the cadre of the PDMO, introduce a separate cadre with a higher pay scale, and recruit well-qualified, experienced, and competent IT engineers. The IT section in the Ministry of Finance exists to protect the country’s money, not just to update Wi-Fi passwords,” Moramudali asserted. 

Lawmakers have also expressed extreme frustration over the ignored warnings. 

Samagi Jana Balawegaya (SJB) MP and Committee on Public Finance (COPF) Chairman Dr. Harsha de Silva criticised the Ministry of Finance for severe negligence and a lack of transparency.

“What happened to $ 2.5 million of Sri Lankan people’s money? It disappeared. This is not just negligence. This is a failure we explicitly warned about. When debt operations were moved from the CBSL to the Treasury’s PDMO, the COPF repeatedly urged the Treasury to hire competent and experienced staff. Managing a sovereign nation’s debt in global financial markets is not a clerical task, yet those warnings were completely ignored.” 

He also raised the possibility of a technical default, questioning whether Sri Lanka could be considered in default if a creditor had not received its due payments. Dr. de Silva also condemned the Ministry of Finance for failing to appear before the COPF for three consecutive meetings, calling it an unprecedented level of contempt for parliamentary oversight.

“We wrote to the Secretary of the Treasury, as Parliament is constitutionally responsible for public finance. We have yet to receive a response on how or when this happened, and why the Ministry of Finance and the CBSL have been silent all this time. This is not a political issue. We must come together to address this, hold those responsible accountable, and rebuild the trust our country has worked so hard to restore,” Dr. de Silva concluded. 

Public Administration Ministry data breach 

While the Finance Ministry grappled with the loss of millions, a separate cyber incident struck the Ministry of Public Administration, with reports emerging that an archive of data containing the personal information of Government officers, including names, email addresses, and contact numbers, had been published on the dark web and offered for sale for $ 200 dollars.

In a concerning display of communication gaps within the Government, Deputy Minister of Provincial Councils and Local Government Prabha Ruwan Senarath stated he was completely unaware of this data breach.

Deputy Minister Weeraratne again downplayed the severity of this specific leak, classifying it as data scraping rather than a complex breach of secure systems.

“There are reports on the dark web regarding this data. The dark web operates in a way that allows anyone to publish data collected from anywhere in the world. Someone has published an archive of data and is claiming it includes information related to Government officers. However, the vast majority of this information is already available on the Public Administration website, as citizens need these details to contact Government officers down to the Divisional Secretariat level,” Weeraratne argued.

“We do not consider this a real data breach. It appears someone has scraped the existing public data from the website and published it for sale at $ 200. If it were truly sensitive and highly confidential data, the asking price would have been significantly higher,” he added.

SLCERT Chief Information Security Officer Nirosh Ananda provided further context regarding the vulnerability of such sites, confirming that the compromised Public Administration website had not been utilising modern cloud security.

“The data in question is not hosted on a secure cloud. It is part of the Lanka Government Cloud environment, but it involves older, static sites. We have seen some screenshots and samples of the data, but we cannot figure out exactly from which specific application or site the data was extracted. We are currently conducting investigations and assessments to see if there is any potential violation of the privacy of individuals and to check for vulnerabilities in the application,” Ananda said.

Ananda identified legacy systems as the primary weak point across the Government domain: “There are thousands of websites and applications being hosted for a long period of time. From time to time, the systems get outdated and remain unaudited for long periods. If you take this specific ministry, they only have a couple of static website applications. We have identified 40 organisations that are critical national information infrastructure holders, and we are focusing on isolating and strengthening their security first.”

Future safeguards and infrastructure upgrades

With major digitisation initiatives looming, including the Sri Lanka Unique Digital Identity (SL-UDI) project, the recent breaches have cast a shadow of doubt over the Government’s ability to protect sensitive citizen data. 

Both Weeraratne and Ananda outlined proactive steps being taken to secure the digital perimeter moving forward, with Weeraratne emphasising the deployment of real-time monitoring systems. 

“The Government has invested in and launched a 24/7 National Cyber Security Operations Centre. It is currently live and mandated to monitor systems in real time using artificial-intelligence-enabled tools to detect attacks before incidents happen. Integrating all critical IT infrastructure with this centre is our absolute top priority. We are expediting the connection of all identified institutions, including the Finance Ministry systems, within the next quarter,” Weeraratne said.

Furthermore, Weeraratne announced legislative measures to create a more robust enforcement mechanism: “To enforce cybersecurity across all digital public infrastructure, we are establishing a new organisation called the Cyber Security Authority (CSA). The bill to establish this authority is currently with the Legal Draftsman. Once formed, it will enforce security measures proactively, whereas the current mandate of SLCERT is primarily to respond to issues after they occur.”

Ananda reinforced the commitment to securing future projects through strict compliance: “According to the National Digital Blueprint, whenever a new application is developed, it is mandatory for it to undergo an assessment by SLCERT before it goes live. We evaluate new applications very thoroughly. All upcoming projects, including the digital identity initiatives, must go through SLCERT. For the older, outdated static sites, we have given directives to the responsible organisations to upgrade their systems, as relying on obsolete technology makes them easy targets for attackers.”