“This is the biggest cybersecurity incident in Sri Lanka to date,” wrote a social media user on X, referring to a reported data breach at Cargills Bank, a major commercial bank in the country.
This statement is just one of many circulating across social media platforms about the alleged breach. Even cybersecurity experts have raised concerns.
A cybersecurity information provider named VenariX also mentioned the incident on its X account on March 20. According to their post, a ransomware group known as HuntersInternational allegedly hacked into the computer systems of Cargills Bank PLC, a licensed commercial bank in Sri Lanka that offers a wide range of services, including savings and current accounts, loans, credit and debit cards, and investment opportunities.
VenariX noted that it was not yet clear whether data had been disclosed to third parties or if any material loss had occurred. However, cybersecurity experts suggest that approximately 1.9 terabytes of data were accessed.
Social Media Attention
Roughly 12 days ago, a Reddit user posted about the breach, warning of an imminent data leak from Cargills Bank. The post included a screenshot from the HuntersInternational website, which allegedly displayed proof of the breach.
According to the screenshot, the ransomware group claimed to have stolen 1,137,008 files amounting to about 1.9 terabytes of data. Various users on Facebook and X also expressed concern, stating that sensitive customer information, including national identity card numbers, passport details, and samples of staff signatures, may have been compromised.
Cybersecurity researcher Dinidu Alwis, who has been monitoring the incident, stated that at least 4,200 national identity card copies were among the leaked files.
Cargills Bank’s Response
It was observed that Cargills Bank issued three statements on social media in response to the incident. The first was released on March 21 via Facebook and LinkedIn. The bank stated:
“Dear customers,
Cargills Bank has identified a cybersecurity incident involving unauthorized access to a peripheral system within its infrastructure. Upon detection, we quickly took action to harden our systems, isolate the affected components, and engage top-level cybersecurity experts to assess the threat, mitigate any potential impact, and protect the interests of our customers and the bank. There has been no disruption to our banking operations as a result of this incident.”
The bank emphasized that its core systems were not affected, identifying the breach as involving an external or peripheral system. However, Dinidu Alwis contested this claim, suggesting that the file structure indicated a deeper issue.
The second statement, issued on March 25, acknowledged that some of the bank’s data had been accessed and subsequently made public. It outlined steps the bank had taken in response but did not clarify whether customers were individually notified or how many were affected.
The third statement, released on April 2, confirmed that certain bank information had indeed been exposed. It noted that international cybersecurity experts had been engaged to investigate the incident, prevent further breaches, and strengthen the bank’s cybersecurity framework. The bank stated it was contacting affected parties individually and reiterated that its core banking operations remained secure and fully functional.
Attempts to obtain comments from senior management at Cargills Bank were unsuccessful. An official inquiry has been forwarded to the bank via email.
What Is a Data Breach?
Cybersecurity expert Asela Waidyalankara explained that a data breach occurs when personal data provided to an organization for a specific purpose is accessed by unauthorized parties. Organizations are responsible for safeguarding this data.
In the case of Cargills Bank, Waidyalankara noted that personally identifiable information (PII) appeared to have been shared on a dark web forum. He emphasized the need for increased digital literacy and awareness regarding cybersecurity risks in Sri Lanka.
The Risk to Consumers
Waidyalankara warned that data leaks could lead to an increase in fraudulent activities. Scammers can exploit personal data to target individuals more effectively. He noted a rise in scams in recent months and suggested that this breach could exacerbate the problem.
He advised customers to immediately change their passwords—especially if reused across platforms—and consider replacing debit or credit cards. He also emphasized heightened vigilance for those whose unchangeable data, like national identity numbers, may have been compromised.
Legal and Policy Gaps
Waidyalankara also criticized delays in enforcing Sri Lanka’s Personal Data Protection Act No. 9 of 2022. Originally set to take full effect in March 2025, its enforcement has been postponed by at least six months following a Cabinet decision in February.
The Ministry of Digital Economy announced on March 27 that an amendment bill had been drafted and published via a Gazette Notification. Until the amended law is enacted, the Data Protection Authority lacks full legal power to enforce data protection measures.
Waidyalankara argued that institutions currently have minimal obligations in the event of a breach, whereas the full enactment of the law would require them to notify both affected individuals and regulatory bodies.
Government Response
At a cabinet press briefing on April 2, Cabinet Spokesperson Minister Nalinda Jayatissa acknowledged that while reports about the breach had circulated, the matter was not discussed at the most recent cabinet meeting. He suggested that the issue may have been addressed at the Security Council level.
Minister Jayatissa added that the government is focused on enacting new laws to address cyber threats, as existing laws are insufficient for the current digital landscape. He emphasized the need for legal frameworks that balance cybersecurity with individual rights and freedoms.
The situation continues to unfold as investigations proceed, and consumers are advised to remain cautious and stay informed through official updates.
SOURCE :- BBC SINHALA
