Senior disinformation researcher Dr. Sanjana Hattotuwa has condemned the Sri Lankan Department of Pensions for its handling of a major cybersecurity incident. Writing in response to a journalist’s inquiry, Dr. Hattotuwa criticized both the technical response and the public communication surrounding the breach, which allegedly involves 617 GB of compromised data—potentially the largest such breach in the country’s public sector history. He also highlighted the department’s decision to issue its public statement solely in Sinhala, calling it a continuation of discriminatory government language practices that obstruct access to critical information.
Full article below:
කොහෙද යන්නේ මල්ලේ පොල්: The Sri Lankan Pensions Department’s response to cybersecurity incident
A Sri Lankan journalist asked me for my response to recent reports of an alleged cybersecurity incident targeting Sri Lanka’s Department of Pensions. If validated (and there’s a high chance of this in the near future), the data breach will indubitably, and tragically include personally identifiable information (PII) of some of the country’s most vulnerable demographic, henceforth irrevocably available on the dark web, and beyond. If proven accurate, it will also be the single largest data breach in the history of Sri Lanka’s public sector – around “617 GB of compromised data for download“. To put that into perspective, a new laptop in Sri Lanka has 256Gb of on-board storage. The Pensions Department data breach is nearly 2.5X this.
I wrote a note for the journalist on the incident, and implications – reproduced below.
What I didn’t highlight was an aspect Aingkaran Kugathasan in particular, and others have repeatedly flagged on social media. The press release from the Pensions Department addressing the cybersecurity issue was only published in Sinhala. This is a continuation of the deeply racist, and unconstitutional language policies in government – no “system change” here to speak of. No one who can’t understand Sinhala will be able to comprehend what the Department’s official response is, including, for what it’s worth, assurances it gives of steps taken to address cybersecurity risks, and protect pensioner’s PII. This Sinhala-Only policy of government, in contemporary Sri Lanka, serves to exacerbate the fallout of cybersecurity incidents.
Secondly, on a call with the journalist, I mentioned that the current digitalisation drive of the government would place even more citizens at risk of cybersecurity incidents, and especially those like pensioners. With digitalisation comes official portals, pathways, and touchpoints for credential verification, registration, PII records, and official transactions that in the past could be done through physical interactions, and printed material. The digitisation of archives, stored data, and new information without investing in cybersecurity will lead to (1) more frequent data breaches, and (2) more serious threats, with compounding effects. I flagged this policy gap, and public communications vacuum in my response. This incident raises a plethora of concerns around what’s promised, and presented as our digital future by those leading the government’s digitalisation drive (including the President), and clearly, starker ground realities going by where government departments are really at.
Sadly, though not unsurprisingly, not a single cybersecurity professional in Sri Lanka has flagged either point above.
The title for this post is the best response I can think of to the Pension Department’s press release, which I translated into English. It’s akin to a burglar breaking into one’s house, and stealing all the NICs, bank statements, FD certificates, marriage certificates, birth certificates, loan documents, and documentation related to assets like vehicles, and house, but the homeowner assuring the family that all will be well, because the TV was left behind, and when plugged in, worked perfectly, and showed all the channels it did before the burglary.
“කොහෙද යන්නේ මල්ලේ පොල් ” (Koheda yanne malle pol) has no direct translation to English, and is an idiom that communicates that what’s presented or talked about is irrelevant, and often at complete odds with what’s expected or required.
This is the Pension Department’s press release, and response in a nutshell.
Responses to alleged data breach at Pensions Department
Translation of Pensions Department press release on 28 May 2025 to English
Download original Sinhala press release as PDF here.
In the first week of April 2025, the Information Technology systems of the Pensions Department were subjected to a cyberattack (Ransomware Attack).
The Pensions Department has been implementing technical solutions to provide its services online through the pension management system since approximately 2016. Although cybersecurity measures were in place within the Department, an investigation was immediately launched through the Sri Lanka Computer Emergency Readiness Team (SL CERT) as soon as this cyberattack was reported.
However, action has already been taken to restore the systems to prevent any disruption to the operations of any online information system of the Department due to this cyberattack.
Furthermore, according to current observations, there has been no data damage or loss during the reactivation of the Department’s information systems following this cyberattack.
Currently, the granting of pension benefits or any other service of the Department has not been disrupted, and there are no technical hindrances to implementing the proposed pension revisions as per the budget proposals.
Upon becoming aware of this cyberattack, prompt measures were taken as follows to restore the Department’s information systems and enhance the security of data and information systems:
- Immediately upon identifying the incident, SL CERT was contacted, and an investigation was promptly initiated, uncovering information related to the cyberattack.
- Measures have been taken in collaboration with SL CERT and the Pensions Department’s contracted cybersecurity service provider to further enhance existing cybersecurity arrangements.
- Arrangements have been made to protect the Department’s data systems containing sensitive information under a proactive risk identification methodology, and the SL CERT 24×7 investigation unit will continuously monitor these data systems for potential risks.
- An investigation is being conducted through SL CERT regarding the external exposure of pensioner information. Based on the findings of this investigation, appropriate measures will be taken to prevent any detriment to our service recipients, and they will be duly informed.
Based on the recommendations from the current investigations, if further improvements are required for the Department’s information systems and information security protocols, they will be implemented without delay.
Convergences, and divergences with FalconFeeds.io
FalconFeeds.io tweeted on 27 May 2025[1],
🚨 Cloak Ransomware Alert 🚨 Department of Pensions The Department of Pensions in Sri Lanka is a government agency responsible for managing pension schemes for public sector employees, has fallen victim to Cloak Ransomware.
Initially, on April 02, 2025, the group posted about an unidentified victim (pe*.lk). On May 26, 2025, they revealed the full domain name, and uploaded over 617 GB of compromised data for download on their dark web portal.
Both the Pensions Department’s press release and the FalconFeeds.io tweet confirm that the Department was the target of a cyberattack. They also align on the timing of the initial incident, with the press release stating it occurred in the “first week of April 2025,” and FalconFeeds.io noting that the ransomware group first posted about an unidentified Sri Lankan government entity (pe*.lk) on 2nd April 2025. The press release refers to a “Ransomware Attack,” which is consistent with FalconFeeds.io specifically identifying “Cloak Ransomware” as the perpetrator.
However, the most significant discrepancy lies in the assertion regarding data compromise. FalconFeeds.io, reporting on the claims of the Cloak Ransomware group, states that on 26th May 2025, the group revealed the Pensions Department as the victim and “uploaded over 617 GB of compromised data for download on their dark web portal.” In direct contrast, the Pensions Department’s press release, dated 28th May 2025, asserts that “there has been no data damage or loss during reactivation” of their systems and that “no data… [was] lost.” (එමෙන්ම ර්වතමාන නිරීක්ෂණයන්ට අනුව මෙම සයිබර් ප්රහාරයෙන් අනතුරුව දෙපාර්තමේන්තුවෙහි තොරතුරු පද්ධතීන් නැවත ක්රියාත්මක කිරීමේදී කිසිදු දත්ත හානි වීමක් හෝ අහිමිවීමක් සිදුවී නොමැත.) However, the press release also mentions an ongoing SLCERT investigation into the “external exposure of pensioner information,” (විශ්රාමික තොරතුරු බාහිරට නිරාවරණය වීම සම්බන්ධව ශ්රී ලංකා CERT ආයතනය හරහා විර්මශනයක් සිදු කරනු ලබන අතර එම විර්මශනයේ ප්රතිඵල අනුව දෙපාර්තමේන්තුවේ සේවාලාභීන් වෙත අගතියක් ඇති නොවීම පිණිස ගත හැකි ක්රියාමාර්ගයන් වෙත යොමුවන අතර ඒ පිළිබඳව අපගේ සේවාලාභීන් දැනුවත් කිරීමට කටයුතු කරනු ලැබේ) which implies an acknowledgement that some data may have been exfiltrated, even if the Department does not confirm a large-scale leak or loss from its active systems.
The Pensions Department’s communication – in a telling parallel to communications from Cargills Bank after the largest ever data breach in Sri Lanka’s history in the private sector[2] – focuses heavily on reassuring the public that services, including the granting of pension benefits and the functioning of online systems, have not been disrupted and that planned pension revisions can proceed without technical hindrance. FalconFeeds.io‘ tweet, being a cybersecurity alert, focuses primarily on the breach event and the alleged data exfiltration by the ransomware group, without commenting on service availability. The timing also suggests the press release may be, at least in part, a response to the public claims made by the ransomware group, and publicised by platforms like FalconFeeds.io, in addition to cyber-security experts like Asela Waidyalankara who tweeted “Potential cybersecurity breach reported at Sri Lanka’s Department of Pensions. Authorities urged to investigate and mitigate urgently. #CyberSecurityLK #SriLanka”.
Problems with the Pension Department’s response
The article by the author, and Waidyalankara footnoted earlier on the Cargills Bank breach highlighted the bank’s “alleged failure…to promptly inform affected customers about the breach and the exposure of their sensitive data,” noting that their Facebook notices fell far short of what would be required under a fully enacted Personal Data Protection Act (PDPA), which mandates notification to both the Data Protection Authority and the affected data subjects. Similarly, the Pensions Department’s press release focuses on system restoration and general security enhancements, but it does not detail any proactive, direct communication to individual pensioners whose Personally Identifiable Information (PII) may now be circulating on the dark web, as alleged by FalconFeeds.io. While investigations are mentioned, the immediate public message lacks clarity on the specific risks to individuals whose data has been exfiltrated.
This pattern of response is deeply problematic, especially when considering the PII of pensioners. Pensioners often represent a more vulnerable demographic, potentially less equipped to deal with the sophisticated scams and identity theft that can arise from their personal details – such as National Identity Card numbers, addresses, and potentially banking information related to their pension payments – becoming available on the dark web. The availability of “over 617 GB of compromised data” from the Pensions Department, as claimed by the ransomware group and reported by FalconFeeds.io, signifies a severe risk. This data, once on the dark web, can be sold, traded, and exploited indefinitely for financial fraud, targeted phishing attacks, and other malicious activities, causing long-term distress and financial loss to individuals who rely on their pensions for their livelihood.
The failure to provide clear, timely, and direct warnings to those whose specific PII has been exposed deprives them of the opportunity to take preventative measures, such as monitoring their financial accounts more closely or being extra vigilant against suspicious communications. It fosters an environment where victims are unaware of the Sword of Damocles hanging over them. Furthermore, when Sri Lanka government departments managing critical and sensitive data adopt a communication strategy that appears to minimise or obscure the full extent of a data breach, it erodes public trust – which as the author has repeatedly noted is at the centre of digitalisation.
Coming after the catastrophic Cargills Bank incident, which laid bare significant weaknesses and drew criticism for its handling, a similar response from a government entity like the Pensions Department suggests that crucial lessons about transparency, accountability, and victim-centric communication in the face of cyberattacks have not been adequately learned or implemented especially, and even by the public sector. This is particularly concerning in a context where the government is moving forward rapidly with digitising public records, and a legislative environment where robust cybersecurity and data protection laws are still developing or not yet fully enforced. (Newswire)