CYBERSECURITY RISKS 

THE DARK SHADOWS OF DIGITALISATION           

Suresh Ginige assesses cyber heists – and the dangerous gaps between ambition and preparedness – as Sri Lanka races towards a digital economy

And while the country has yet to experience either prosperity or splendour, successive governments have continued to champion digitisation as a gateway to prosperity. 

The present administration is the latest to jump on the bandwagon with its ‘National Economy Strategy 2030.’ Among the ambitious goals of this plan are the digitisation of all government transactions by 2030 and creation of a US$ 15 billion digital economy. 

Enhanced economic competitiveness, increased exports and foreign exchange earnings, job creation, and more trusted and inclusive public services are among the benefits ascribed to this drive. 

Yet, while policymakers continue to extol the virtues of digitalisation, the country’s rapid shift online has also attracted the attention of more unsavoury elements. 

Operating in the shadows of cyberspace, cybercriminals have targeted Sri Lanka’s financial infrastructure, which was among the first sectors to be extensively digitalised. Despite having an array of sophisticated tools in their arsenal, these hackers discovered that the sector’s Achilles’ heel was something far simpler – emails.

Consequently, they didn’t require breached firewalls, hacked passwords or advanced malware to achieve their nefarious aims. All it took were a handful of carefully crafted emails to deceive senior officials at the treasury and Department of Posts, and have millions of dollars in public funds transferred to their personal accounts. 

The treasury cyber heist in particular exposed glaring weaknesses in the nation’s regulatory and procedural safeguards. 

Between November 2025 and January this year, the government made 10 debt repayments to Export Finance Australia. It was only after the agency reported that the funds were missing that authorities realised the payments had been fraudulently rerouted. 

The incident was described as a straightforward phishing attack with officials having taken the bait.

This fraud stemmed from a simple email, purportedly from the agency, notifying of a change in account details. As a result, the funds ended up not as intended down under but in Delaware in the US. 

The scam was simple but its effects were far-reaching… 

Within the space of a few months, 2.5 million dollars in public money had disappeared. In addition, suspicious emails relating to Indian payments were discovered while documents linked to a French loan had gone missing, suggesting that the hackers were only getting started.

Shortly thereafter came revelations that over US$ 600,000 had been lost by the Posts Department under almost identical circumstances. Beyond patience and persistence, little ingenuity had been required to siphon off the money. 

These incidents reveal failures at multiple levels, as well as serious deficiencies in policy and regulatory frameworks. The absence of even basic safeguards such as encrypted communication channels, real-time monitoring systems and multi factor authentication has been exposed. 

Instead, authorities relied on outdated verification methods including ordinary email confirmations to secure transactions worth millions of dollars.

The incidents also highlight glaring shortcomings in staff training as officials reportedly ignored multiple warning signs. In addition, the lack of technical expertise at the highest levels of the Ministry of Finance and related departments has been blamed for procedural failures.

While the country has yet to experience either prosperity or splendour, successive governments have continued to champion digitisation as a gateway to prosperity

Ironically, these breaches occurred against the backdrop of the Central Bank of Sri Lanka requiring all local banks to maintain ISO 27001 certification in order to strengthen cybersecurity standards. Yet, the authorities have not seen fit to implement similar safeguards at the ministry that manages the nation’s wealth.

Sri Lanka’s growing vulnerability to online crime has had an unintended impact on the tourism industry with the emergence of a new category of visitors: cybercriminals. In 2026 alone, over 1,000 foreigners have been arrested so far for engaging in online scams, marking a major increase over previous years. 

In the absence of robust legislation and comprehensive institutional reforms, there is a real risk that Sri Lanka could become a hub for international cybercrime syndicates capable of carrying out their nefarious operations both within and beyond our borders.

These attacks demonstrate that grandiose rhetoric and bombastic visions cannot tide over fatal lacunae in legislation, regulation and institutional processes. They also reveal broader governance failures, as chronic policy inertia means that crucial reforms continue to gather dust instead of being implemented. 

Lest we forget, hackers have more advanced tools at their disposal including ransomware, data breaches and identity theft, malware, and spyware. The rapid growth of digital adoption and high value online transactions has dramatically heightened exposure to cyber risks.

Digital transformation undoubtedly offers significant benefits to the country. However, if the government continues to pursue shortcuts over methodical policy measures, appoint politically connected but unqualified individuals to key positions and overlook systemic vulnerabilities that can be exploited by bad actors, digitalisation could end up causing more harm than good. 

Without urgent reforms, stronger safeguards and expert oversight, Sri Lanka’s digital dream could well become a nightmare.