Amajor Sri Lankan bank is facing public scrutiny and regulatory questions after a catastrophic cybersecurity breach exposed more than 1.9 terabytes of data, over one million files, containing highly sensitive personal and internal information.
The breach, reportedly orchestrated by the ransomware group Hunters International, included National Identity Card (NIC) scans, phone numbers, bank account details, specimen signatures, and internal audit documents. Most alarmingly, the leak also included videos from Know Your Customer (KYC) onboarding sessions, showing customers displaying full IDs and reading out personal information.
The breach first surfaced publicly on March 20 through a social media post. Over the following days, third-party analysts confirmed the authenticity and scale of the leak, which compromised not only customer data but also information related to employees, board members, and other affiliated individuals. The inclusion of data tied to a former chair of Sri Lanka’s Data Protection Authority has further intensified public alarm.
Ignoring the warnings
This breach was not an unforeseeable event. Internal documents point to repeated, detailed warnings from audits that flagged cybersecurity gaps.
A 2024 network infrastructure audit cited poor firewall management, with staff bypassing web filtering controls and incomplete firewall change logs. User access reviews had not been conducted since 2022, and serious vulnerabilities highlighted as far back as 2021 remained unaddressed. The bank also lacked a Privileged Access Management (PAM) system, an essential layer of defence.
A separate 2024 data loss prevention review found multiple failures: sensitive data being shared without password protection, improperly encrypted personal data, irregular software patching, unregulated USB access, missing audit trails for downloads, and no standardised data retention or deletion policy.
The physical infrastructure fared no better. In July 2023, a system failure tied to hardware issues left the disaster recovery server without two-factor authentication or a backup for 26 days —placing the bank in a precarious single point of failure. Around the same period, a branch experienced unauthorised entry due to malfunctioning security systems, reportedly exacerbated by pest infestations damaging equipment.
A 2024 systems audit also revealed chaotic IT asset management, from unreturned devices by former employees to unauthorised software installations. In response to many of these audits, bank management often deflected accountability, citing a lack of clarity or resources rather than addressing the issues head-on.
Perhaps the most damning was a 2024 Information Security Operations audit that documented major failures to comply with Central Bank regulations. The bank lacked a formal Standard Operating Procedure, had no threat intelligence program, and took a reactive, rather than preventive, approach to incident response. Even the incident logs were not timely or complete, missing crucial documentation such as root cause analyses or stakeholder escalation details.
A lesson on how not to respond to a crisis
The Bank’s response to the breach has come under intense criticism. In its first filing to the Colombo Stock Exchange (CSE), the incident was dismissed as merely “unauthorised access to a peripheral system.” Only after mounting pressure from cybersecurity experts and independent analysts did the Bank acknowledge the seriousness of the situation. It eventually obtained a court order under the Online Safety Act (OSA) to block access to the leaked information, including content hosted on the dark web.
However, cybersecurity professionals have widely condemned this legal strategy. Attempting to block onion addresses on the TOR network is not only technically infeasible, it may have worsened the situation by inadvertently amplifying public attention, a phenomenon known as the Streisand Effect.
Digitisation and growing threats
This incident underscores a systemic weakness not only in one bank, but across Sri Lanka’s broader financial sector. As banks move towards digital-first services, they become increasingly attractive targets for sophisticated cybercriminals. Without effective oversight, regulation, and internal accountability, such breaches are no longer an anomaly — they are inevitable.
Cyberattacks bring with them a cascade of consequences: financial losses, regulatory penalties, legal liabilities, and lasting reputational damage. In an age where consumer trust is directly tied to digital security, even brief lapses in communication or transparency can erode loyalty and depress stock prices. Worse still, stolen data, particularly biometric details and financial credentials, can be exploited for identity theft, social engineering attacks, and fraud.
To protect themselves and their customers, banks must go beyond token compliance. Regular, comprehensive cybersecurity audits should lead to concrete changes. Firewalls and access controls must be strictly managed. Encryption protocols need to be standardised and enforced across all systems. Institutions should invest in real-time monitoring, maintain detailed and regularly updated incident response plans, and ensure ongoing staff training on cyber hygiene and social engineering threats.
Collaboration with reputable cybersecurity firms and strict adherence to Central Bank and international regulatory guidelines must be treated as integral to modern banking, not bureaucratic checkboxes. Most critically, financial institutions need to communicate transparently during and after security incidents. Silence or evasion only worsens the damage.
This breach must serve as a turning point. Sri Lanka’s financial sector cannot afford another wake-up call. What’s at stake is not mere data, it is trust, accountability, and the future of secure banking in the digital era.
