April 25, Colombo (LNW): A leading cybersecurity specialist has warned that stronger technical controls could have reduced the impact of the recent cyber incident involving a Treasury payment of approximately US$ 2.5 million, suggesting that more rigorous systems may have prevented the breach altogether.
Asela Waidyalankara explained that the attack appears to have relied on a well-known tactic called Business Email Compromise (BEC), a method frequently seen across private sector organisations.
In such schemes, fraudsters typically intercept legitimate correspondence—often invoices—tamper with key financial details, and redirect payments into accounts under their control.
He noted that Sri Lanka’s banking sector has largely avoided such incidents due to tighter cybersecurity requirements. In particular, the Central Bank’s push for institutions to adopt ISO 27001 standards—an internationally recognised framework for information security management—has helped strengthen defences and enforce regular external audits.
Waidyalankara argued that a similar level of discipline should apply to state institutions managing public finances. Given the scale and sensitivity of Treasury operations, he suggested that comparable controls could have significantly mitigated the risk, if not prevented the incident entirely.
Expanding on the mechanics of the attack, he said BEC scams often exploit weaknesses in email systems, especially where updates and security patches are not consistently maintained. This raises concerns about whether the relevant systems were adequately secured and monitored at the time of the breach.
He also pointed to deeper organisational shortcomings, indicating that the issue may not be purely technical but linked to gaps in governance and oversight. Without structured cybersecurity policies and continuous evaluation, institutions handling large financial flows remain vulnerable to increasingly sophisticated threats.
While acknowledging that no system can offer absolute protection, Waidyalankara stressed that internationally recognised standards such as ISO 27001 provide a critical framework for reducing exposure to cyber risks.
He added that the relative resilience of banks—owing to strict compliance and layered safeguards—highlights the importance of adopting similar measures across all government bodies entrusted with national funds.
The post Treasury Cyber Breach Raises Questions Over Safeguards and Oversight appeared first on LNW Lanka News Web.
