Latest Posts

Cyber Fraud Investigation Reveals Treasury’s Dangerous Culture of Complacency

The parliamentary Committee on Public Finance (COPF) has delivered one of the strongest indictments yet of Sri Lanka’s public financial management system, concluding that the cyber theft of USD 2.5 million during a foreign debt repayment to Australia was not simply the work of sophisticated cybercriminals but the result of systemic governance failures, weak internal controls and years of neglected cyber security.

The committee’s final report paints a troubling picture of how a sequence of avoidable mistakes allowed public funds to disappear while officials failed to detect warning signs for months.

At the centre of the findings is a Treasury that was operating an outdated Microsoft Exchange Server after Microsoft’s security support had already expired.

Even more alarming, investigators found that basic cyber security safeguard including multi-factor authentication had not been implemented, leaving one of the country’s most sensitive financial institutions vulnerable to compromise.

COPF concluded that governance failures extended to the highest levels of the financial administration. It directly attributes responsibility to the Secretary to the Treasury and the Governor of the Central Bank, arguing that institutional shortcomings under their oversight created the conditions that enabled the fraud.

Investigators also discovered that officials responsible for processing foreign debt repayments relied on email communications that were neither independently authenticated nor adequately verified.

Payment instructions were accepted without properly confirming lender email domains or validating changes through secure alternative communication channels. These procedural lapses effectively opened the door for cybercriminals to infiltrate official correspondence and redirect public funds.

Perhaps the most disturbing revelation is that the Australian payment was not an isolated incident. COPF disclosed that suspicious or fraudulent payment instructions were also detected in debt repayment transactions involving India, the United Kingdom, Germany and Belgium.

While authorities successfully prevented financial losses in those cases, the repeated attempts indicate that cybercriminals had identified Sri Lanka’s debt servicing operations as a vulnerable target.

The report suggests the attack was less a single breach than evidence of a prolonged campaign exploiting weaknesses in government financial systems.

Despite identifying failures across multiple institutions, disciplinary action has so far been limited to four mid-level officials attached to the Ministry of Finance. The committee questions whether accountability has reached the levels where critical decisions on cyber security, risk management and institutional oversight were actually made.

The report’s recommendations extend well beyond assigning blame. COPF has called for a comprehensive special audit covering the entire foreign debt repayment framework to determine whether additional vulnerabilities or irregularities remain undetected.

It also recommends mandatory cyber security upgrades across government agencies, stronger verification procedures for international financial transactions, revised financial regulations and significant reforms to Sri Lanka’s public debt management systems.

The findings serve as a stark reminder that cyber threats are no longer confined to private corporations or financial institutions. They now pose direct risks to sovereign finances and taxpayer money. For Sri Lanka, the USD 2.5 million loss may represent only the measurable cost. The greater damage lies in exposing how fragile governance, outdated technology and inadequate oversight can combine to undermine confidence in the management of public finances.

Latest Posts

spot_imgspot_img