A shocking cyber security revelation has surfaced as sensitive Sri Lanka Ministry of Finance data was allegedly put up for sale on the dark web, raising urgent concerns about national cyber defence, data protection failures, and government system vulnerabilities.
The recent incident involving the Treasury mistakenly transferring funds intended for an Australian government loan repayment into a hacker controlled account has become one of the most widely discussed cyber security breaches in Sri Lanka. While this case has captured national attention, experts warn that earlier cyber attacks targeting government institutions deserve equal scrutiny.
Just days ago, an account operating under the name Dark Web Intelligence revealed that data belonging to the Ministry of Public Administration and Home Affairs had been listed for sale by cybercriminals. This disclosure has intensified fears about the scale of cyber threats facing Sri Lanka’s public sector digital infrastructure.
Sri Lanka’s National Cyber Security Operations Centre was officially launched by President Anura Kumara Dissanayake on September 25 last year, alongside the introduction of the National Cyber Security Strategy for 2025 to 2029. The centre was established to monitor 37 critical government institutions, including the Department of Immigration and Emigration, the Department of Motor Traffic, and the Inland Revenue Department, on a 24 hour basis to detect and respond to cyber attacks.
However, cyber security experts have raised concerns about the absence of a fully enacted Cyber Security Bill, which has created gaps in enforcement and accountability. Lakmal Ebuldeniya, Chairman of the Digital Trust Alliance, explained that although a draft law has existed for years, it has not yet been implemented. As a result, the institutional framework required to investigate and respond effectively to cyber incidents remains weak.
He noted that the Sri Lanka Computer Emergency Readiness Team, which currently handles cyber incidents, lacks the authority to conduct comprehensive investigations, as it operates as a government affiliated private entity. According to him, only a few institutions such as the University of Colombo, the University of Moratuwa, and the Government Analyst’s Department have the technical capability to examine such incidents, yet even they lack the legal authority to enforce standards or conduct full scale investigations into government cyber systems.
On September 15, 2025, reports surfaced on the Dark Web Intelligence platform indicating that sensitive data from the Ministry of Finance had been obtained by hackers and was being offered for sale on a cybercriminal forum. This development occurred just days before the launch of the National Cyber Security Operations Centre.
According to the report, the hackers had gained access to highly sensitive information, including full names of Ministry employees, national identification details, residential and office addresses, personal contact numbers, official email accounts, and even plain text passwords. The stolen data was reportedly listed for sale at a price of 4,000 dollars in Bitcoin, highlighting the growing threat of financial cyber crime in Sri Lanka.
Cyber attacks targeting Sri Lankan government systems are not new. In May 2025, an intrusion into the Department of Pensions data system was reported. Authorities later confirmed that although the breach occurred, they were able to recover all data with the support of the Sri Lanka Computer Emergency Readiness Team.
Earlier incidents include a 2023 cyber attack on the government cloud infrastructure, which resulted in data loss, as well as a series of cyber attacks carried out in 2020 targeting multiple government websites. In 2016, a student from Kandy was arrested after breaching the website of the President’s Secretariat, demonstrating that cyber vulnerabilities have existed for years.
Experts emphasize that while preventing cyber attacks entirely is nearly impossible, the real challenge lies in how institutions respond once a breach occurs. Lakmal Ebuldeniya stressed that timely disclosure and transparency are critical, pointing out that international standards such as the General Data Protection Regulation require organizations to inform affected users and authorities when breaches happen.
He further explained that the true risk lies not only in the breach itself but in the potential misuse of stolen data. Sensitive information, including financial records, personal details, and contact data, can expose individuals to fraud, identity theft, and long term security threats.
The growing number of cyber incidents has raised broader questions about data protection, digital governance, and national security in Sri Lanka. As government institutions continue to digitize services, experts warn that without strong legal frameworks, enforcement mechanisms, and rapid response strategies, the risk of future cyber attacks will remain high.
