Sri Lanka first learned of what may be the island’s largest data breaches of personal information of customers through social media revelations by a journalist over the last month, which pointed to a cyber-attack on locally registered Cargills Bank, where going by the information available online, nearly two terabytes of data of the bank's clients (said to involve over a million files of personal identifiable information) had been leaked by a cyber-crime outfit, reportedly known as Hunters International.
The fact that the public had to gain knowledge of such from social media posts from a journalist itself is indicative of the concern and work ethics of the government regulators, security apparatus and the said bank.
According to an article on LinkedIn by Dr. Sanjana Hattotuwa and cyber security expert Asela Waidyalankara, the said bank had started operations in 2014 and is a listed company on the Colombo Stock Exchange. It is reported that the 2024 annual report indicates the bank has nearly 700 employees, with a gross income of Rs. 11,323,000,000, and a pre-tax profit of Rs. 1,150,000,000. In 2024 alone, the bank had over 245,000 customers. One would expect that having personal data of nearly a quarter million citizens would have warranted a robust cyber security structure for the bank. It would be interesting for the customer and the public to know if the said bank had such safeguards put in place or if there was complacency or collusion with the hackers. A thorough investigation of the bank and its safeguards would reveal that. It is in the public interest to question national regulators like the Central Bank of Sri Lanka (CBSL) and the TRCSL, about what type of online safety and security safeguards institutions such as licensed banks must have in place and why it failed with this institution. Given this incident and many other cyber scams and cyber security breaches which have occurred over the recent past, it is imperative that the government consult key stakeholders, study international best practices and implement a set of robust regulations to government at least a baseline cyber security regime for institutions like banks, and whoever else collects, stores and uses databases of personal information of citizens.
Meanwhile, the Controversial Online Safety Act (OSA), which has raised concern amongst local and foreign rights activists and civil society, is once again been weaponised against those who report on issues which are in the public interest. The situations get complicated as it involves failures in the safety of the critical digital infrastructure of the island and the risks it poses to the national banking system and breach of public trust in financial service providers and those involved in protect our personal information. This Government made promises that they will not use the law in its current form. In January of this year, the Ministry of Mass Media stated is scheduled to begin stakeholder discussions on amending the Online Safety Act (OSA), while stakeholders maintain that the amendment bill published by the previous Government fails to address the fundamental issues with the act. Its Additional Secretary–Development N.A.K.L. Wijenayake told The Sunday Morning that ministerial-level discussions were underway regarding the amendment process. Nevertheless, it seems the law is being used with no amendments.
The OSA, which was passed into law last year despite much criticism and calls for a review, has seldom been used to ‘protect women or children from online bullying’, which its proponents of the bill trumpeted when they rushed to make it law. The use of the law, or in some cases, alleged abuse, has done little to build faith about its purpose and employment. It is now alleged that the bank, at the centre of the cyber security failure and breach of their clients' personal data, is now using the law to curb reporting about the incident. Shame. Surely, this is not in the public interest, nor is it in the best interest of those who have become victims due to the banks' failures. Such an approach by one entity to which we are expected to trust our money and our personal details does little to restore faith. It also highlights the risk of having laws like the OSA on the books – un-reformed, can adversely affect those who work in the public interest.