The US$2.5 million Treasury cyber heist has exposed more than a sophisticated international phishing operation.
It has laid bare a culture of institutional buck-passing where government agencies appear more interested in shifting responsibility than explaining why taxpayers must now finance losses created by official failures.

The final report of Parliament’s Committee on Public Finance paints a disturbing picture.
Following the transfer of external debt management from the Central Bank of Sri Lanka (CBSL) to the newly established Public Debt Management Office (PDMO), neither institution appears to have ensured that adequate governance, cybersecurity nor were operational safeguards firmly in place.
Instead, the transition created confusion over responsibility.When the fraud surfaced, each institution presented competing explanations.
The Ministry of Finance argued that the Central Bank, acting as the Government’s banker, should have identified suspicious payment instructions before releasing funds.
The Central Bank countered that legal responsibility had already shifted entirely to the PDMO.COPF rejected both arguments.
Its conclusion was unequivocal: responsibility remains institutional and cannot be transferred through administrative restructuring.
The committee identified governance failures extending from operational officers to the highest levels of financial administration, including the Treasury Secretary’s office and the Central Bank’s leadership.
Perhaps the greatest injustice is that taxpayers who neither managed government email servers nor approved international transfers will ultimately finance the loss.
Treasury Secretary Harshana Suriyapperuma has already acknowledged that unrecovered funds must eventually be absorbed through national budget adjustments.
That means fewer resources for public services or additional borrowing to compensate for avoidable losses.
The fraud itself relied on a remarkably simple deception.Hackers created a spoofed email domain almost identical to Export Finance Australia’s genuine address.
Officials processing sovereign debt repayments failed to detect the alteration and transferred millions of dollars accordingly.
Experts say such scams are well known internationally and can usually be prevented through straightforward verification procedures, mandatory telephone confirmations and modern cyber security systems.
However COPF found that critical government infrastructure remained dependent on obsolete technology unsupported since 2019.
Basic protections like Multi-Factor Authentication were missing.Standard operating procedures requiring independent verification of foreign payment instructions had either not been implemented or were ignored.
The consequences extended beyond the stolen money.Sri Lanka technically entered arrears with an external sovereign creditor, forcing the Government to seek an IMF waiver to preserve its economic reform programme.
Although the IMF treated the breach as relatively minor, the incident nevertheless damaged confidence in the country’s financial controls during a period of fragile economic recovery.
The criminal investigation continues, with forensic experts examining massive volumes of digital evidence and investigators probing whether insider assistance facilitated the attack.
But regardless of whether criminal conspiracy is ultimately proven, Parliament has already identified the larger issue.This was not simply a cybercrime.It was a governance failure.
And unless accountability extends beyond suspended middle-ranking officials to those responsible for oversight, Sri Lankan taxpayers may once again find themselves paying the price for mistakes they neither created nor could have prevented.



