Cyber criminals breached the Sri Lankan finance ministry’s computer systems and stole $2.5 million. The incident is now considered the largest known cyber theft from a state institution in the country.
The attack comes at a difficult time for Sri Lanka. The country is still recovering from the 2022 economic crisis. During that period, Colombo defaulted on $46 billion in external debt, placing heavy pressure on public finances.
Public Debt Office Targeted
The hackers focused on the Public Debt Management Office, known as PDMO. Authorities first noticed unusual activity linked to an attempted breach of the ministry’s email system. After checking the system, they found that $2.5 million had already gone missing.
On Wednesday, officials confirmed the funds were part of a planned debt payment to Australia. This was revealed to reporters in Colombo by the Finance Ministry Secretary Harshana Suriyapperuma. After a breach, the government suspended four senior PDMO employees.
Investigation and Foreign Assistance
Security teams in Sri Lanka have launched a full investigation into the cyber attack. Law enforcement agencies are now tracing how the breach took place and who may be responsible.
The government has also asked for support from international partners. Foreign cybercrime units are expected to assist in the investigation process. Officials have not released full technical details due to the ongoing probe.
Australia has also become involved. Matthew Duckworth, Australia’s High Commissioner in Sri Lanka, confirmed awareness of the irregular payment. He said Australian authorities are working with Sri Lankan investigators to review the case. He also restated Australia’s support for Sri Lanka’s debt recovery efforts.
Background and Wider Concerns
The PDMO is a recently created institution. It was set up earlier this year as part of financial reforms tied to a $2.9 billion IMF bailout package agreed in 2023. The office handles key debt planning and repayment functions.
The cyber attack has raised concerns about digital security in government systems. Earlier this year, Sri Lanka’s central bank and finance ministry ran public warnings about online fraud and cyber scams. The campaigns aimed to protect citizens from digital threats.
Those warnings were not enough. Major damage to the state system still took place. The incident reveals weaknesses in cybersecurity at major financial institutions. More worryingly, it questions what sort of assurance we have regarding the protection of public money going forward.
