Sri Lanka’s Cybersecurity Gaps Exposed by $2.5M Treasury Fraud and Record Complaints

Sri Lanka's Treasury External Resources Department lost roughly US$2.5 million in a payment diversion, Cargills Bank suffered its largest breach ever, and the national CERT logged more than 12,650 cybersecurity and social‑media complaints in 2025.

A surge of online investment scams targets low‑income youth, while state institutions face increasingly sophisticated payment‑diversion attacks. The country lacks a comprehensive Cybersecurity Act, mandatory breach‑disclosure rules, and an independent regulator to enforce standards. These gaps let criminal groups exploit weak authentication, outdated software, and fragmented monitoring across ministries and banks.

- Treasury fraud: In early 2025, attackers altered beneficiary details in the External Resources Department's payment system, redirecting about US$2.5 million to offshore accounts. The anomaly was spotted during a routine reconciliation audit; investigators traced the change to compromised privileged credentials likely obtained via spear‑phishing (MITRE T1566.001) and abuse of valid accounts (T1078). - Cargills Bank breach: Mid‑2025, threat actors exfiltrated customer IDs, transaction logs, and internal emails after exploiting an unpatched vulnerability in the bank's web‑portal (a recently disclosed remote‑code‑execution flaw). The intrusion remained undetected for roughly three weeks, affecting an estimated 1.2 million records and marking the largest data breach in Sri Lankan banking history. - Complaint volume: Sri Lanka CERT recorded 12,650 cybersecurity and social‑media complaints in 2025, a 38 % rise from the previous year, with the majority citing online fraud, phishing, and unauthorized access.

The incidents show that financial loss, data exposure, and public‑trust erosion are now systemic risks rather than isolated events. Without legal mandates for breach notification and minimum security controls, organizations have little incentive to invest in detection or response capabilities. The rise in complaints also signals that victims are increasingly reporting, but many cases remain unresolved due to limited forensic capacity.

- Enforce MFA and privileged‑access workstations for all treasury and banking admins (CIS Control 6). - Apply the latest patches for web‑portal components; prioritize the disclosed remote‑code‑execution flaw and similar RCE flaws (CVSS ≥ 9.0). - Deploy network‑based anomaly detection for unusual outbound payment‑instruction changes (MITRE T1078.002) and enable SIEM alerts on credential‑usage spikes. - Conduct quarterly phishing simulations and enforce DMARC, DKIM, and SPF to reduce spear‑phishing success. - Establish a mandatory breach‑disclosure timeline (e.g., 72 hours) and create an independent cyber‑security regulator to audit critical infrastructure.

Parliament’s draft Cybersecurity Act is expected for debate later this year; its passage will shape mandatory reporting, incident‑response standards, and enforcement mechanisms that could finally close the current defensive gap.