By The Pulseline News Desk
Who ultimately pays for a cybercrime that siphoned away $2.5 million from the Sri Lankan Treasury?
The answer, according to government officials, is the public.
Unless authorities succeed in recovering the stolen money, the government will use state funds to settle the $2.5 million payment owed to the Australian government under Sri Lanka’s debt servicing obligations. In effect, taxpayers will bear the financial burden of one of the country’s most costly cyber frauds.
The revelation emerged during a recent meeting of the Parliament’s Committee on Public Finance (COPF), where Finance Ministry Secretary Dr. Harshana Sooriyapperuma had acknowledged that the Treasury would have to honour its commitment to Australia even though the original payment was diverted by cyber criminals.
The funds were lost after hackers had breached the Finance Ministry’s computer system and intercepted a payment intended for the Australian government. While investigations are continuing, officials have indicated that Sri Lanka cannot delay or default on its international debt obligations because of the cyber theft.
As a result, a fresh payment will have to be made from government coffers unless the stolen funds are recovered.
The disclosure has intensified concerns over accountability, particularly as details emerged about weaknesses in the ministry’s digital infrastructure.
During questioning by COPF Chairman and MP Harsha de Silva, it was revealed that the email server used to facilitate high-value international financial transactions had remained outdated since 2019.
Although basic guidelines to upgrade the system had been issued in 2023, they had not been fully implemented by the time the cyber-attack had occurred.
Even more concerning, the Finance Ministry Secretary had admitted he had been unaware that such a critical payment system continued to operate on outdated technology.
The revelations have sparked questions over whether the loss could have been prevented had recommended cybersecurity improvements been carried out earlier.
Cybersecurity experts note that government payment systems handling international financial transactions require continuous upgrades, multi-factor authentication and rigorous monitoring to minimise the risk of sophisticated attacks.
The incident has also highlighted a broader issue facing public institutions: the cost of inadequate cybersecurity often extends far beyond damaged computer systems. In this case, the financial loss could ultimately fall on the national budget, placing an additional burden on public finances at a time when Sri Lanka continues to navigate a fragile economic recovery.
Meanwhile, the Australian High Commission has confirmed to some media that discussions with the Ministry of Finance are ongoing regarding arrangements for the outstanding payment.
For Sri Lanka, however, the larger question remains unanswered. If the stolen money cannot be traced and recovered, taxpayers, not the cyber criminals, will ultimately pay the price for the breach, while investigations continue into how such a significant security failure was allowed to occur.
Leave a comment