A parliamentary inquiry into the theft of $2.5 million from public funds has uncovered alarming shortcomings in the Government’s digital infrastructure, exposing vulnerabilities that cybersecurity experts say should never have existed within a key financial institution.
The revelation emerged during recent proceedings of the Committee on Public Finance (copf), which examined the circumstances surrounding the cyber theft of Treasury funds reserved for servicing government debt obligations.
Among the most troubling findings was evidence that the Finance Ministry had reportedly been operating an email server without cybersecurity support for nearly five years a deficiency that investigators believe may have contributed to the successful execution of the fraudulent transactions.
Committee Chairman Dr. Harsha de Silva described the discovery as a major warning sign, particularly at a time when cyberattacks targeting public institutions are becoming more sophisticated and frequent worldwide.
The fraudulent transfers are believed to have originated through email communications, placing renewed focus on the security standards governing government digital systems. Experts have long warned that unsupported or outdated email infrastructure can create opportunities for phishing attacks, credential theft, and unauthorized access to sensitive financial information.
Dr. De Silva questioned how a critical state institution responsible for handling public finances could continue using technology lacking adequate cybersecurity protection in an era of escalating digital threats.
The issue surfaced as lawmakers examined broader failures linked to the incident. Testimony before the committee suggested that weaknesses extended beyond technology and included procedural gaps, unclear reporting structures, and uncertainty over decision-making responsibilities once suspicious activity was detected.
The investigation has also revealed disagreements between the Treasury and the Central Bank regarding accountability for the theft. However, committee members emphasized that the focus should extend beyond assigning blame and address the systemic vulnerabilities that made the fraud possible.
Several agencies are now involved in efforts to recover the stolen funds and identify those responsible. Investigations are being conducted by the Criminal Investigation Department (CID), police authorities, and independent forensic auditors specializing in cybercrime and financial fraud.
While recovery efforts continue, officials have acknowledged the possibility that some or all of the funds may never be recovered. If that occurs, taxpayers will ultimately shoulder the financial burden.
Evidence presented before the committee indicated that unrecovered losses would need to be absorbed by the Government through future budgetary adjustments, effectively transferring the impact of the theft to the public purse.
The incident has reignited concerns about cyber resilience across Sri Lanka’s public sector, particularly as government agencies increasingly rely on digital platforms for treasury operations, debt management, and financial transactions.
Lawmakers now face mounting pressure to strengthen cybersecurity frameworks, modernize outdated systems, and establish clear accountability mechanisms. As the Committee on Public Finance prepares for further hearings and awaits additional submissions from relevant institutions, the case is increasingly being viewed not merely as a financial crime but as a wake-up call about the state of cybersecurity within government.
The committee’s eventual recommendations are expected to shape future reforms designed to prevent similar breaches and restore confidence in the protection of public funds.