$2.5M Treasury Heist : Urgent questions on access governance

• “Over 80% of cyber breaches globally involve identity misuse; attackers no longer need to break into systems when they can simply use legitimate accounts and trusted workflows.”
• “If not properly managed, access builds up over time in excess of what is needed—a dangerous scenario known as ‘privilege creep’ that leaves institutions vulnerable from within.”
• “The incident demonstrates how a single compromised email or altered message can have far-reaching consequences when critical financial approvals rely on manual verification.”

The diversion of nearly USD 2.5 million from Sri Lanka’s Treasury highlights a dangerous evolution in financial crime: the manipulation of trusted communication over traditional hacking. With investigations pointing toward compromised emails and “privilege creep,” the incident underscores a global reality where 80% of breaches involve identity misuse. As Sri Lanka’s digital transformation accelerates, this heist serves as a critical wake-up call to move beyond simple perimeter defense toward a “Zero Trust” model that continuously validates every access point and financial approval pathway.
The confirmation of the diversion of nearly USD 2.5 million from Sri Lanka’s Treasury systems has caught national attention, with the latest updates suggesting a potential payment diversion involving compromised email communications. Sri Lanka CERT and the law enforcement agencies are among the authorities that continue their investigations, while international parties have also confirmed irregularities in the transaction process. 
The full facts of how this incident occurred are still under investigation at this stage.  One thing is clear, though: this was not just a conventional “cyberattack” in the traditional sense of systems being broken into from the outside. Rather, it seems to involve manipulation of trusted channels of communication and financial processes, which raises larger issues of access and control over transactions. 
Studies show that over 80% of cyber breaches globally involve identity misuse or compromised access. This means attackers often do not have to directly circumvent security systems. Instead, they use legitimate accounts, trusted workflows, and what looks like valid instructions to perform their actions. 
This situation is where many organisations, in particular large public institutions, face an increasing challenge. 
As organisations grow, access grows too. Employee roles change; external parties are involved; temporary permissions are granted for operational purposes. If not properly managed, access can build up over time in excess of what is needed a scenario sometimes described as “privilege creep.” 
Meanwhile, critical activities like financial approvals and payment instructions are often carried out through email and manual verification. If these processes are not adequately controlled, a single compromised email or altered message can have far-reaching consequences without being detected immediately. 
The recent Treasury incident demonstrates how trusted systems and trusted communication channels themselves can be points of vulnerability.  The fast-paced digital transformation in Sri Lanka further adds urgency to this issue. More government services are going online, and more cross-border financial interactions are occurring, so the number of users, systems and access points keeps growing. This transformation is critical, but it needs stronger mechanisms to ensure access is controlled properly and continuously monitored. 
Sri Lanka has already started to move in this direction, which is encouraging. The 2023 government cybersecurity circular mandates structured information security practices across public institutions, including controls to prevent unauthorised access.
Recent efforts by the the Ministry of Digital Economy has included the addition of threat intelligence and attack surface monitoring capabilities to improve visibility across government systems.  
These are major developments. But visibility alone is not enough. 
The critical challenge is to ensure access is approved, continuously validated, and controlled. In many environments there can be a gap between what is formally approved and what is actually in systems. Permissions may be revoked unexpectedly and changes may occur outside formal processes.  
That’s why incidents like this serve as a reminder that better governance around access and verification is needed.  Organisations must grant access on the basis of clear need, for limited periods and regularly review access. Critical transactions also require sound validation mechanisms, which can’t rely on a single communication channel. 
One emerging global approach to this challenge is the concept of “never trust, always verify,” or as it is often called, Zero Trust. This method stresses the persistent authentication of users, systems and activities even if they come from within trusted zones. 
In the end, cybersecurity is not merely protecting systems from external threats today. It also means internal processes, access rights and decision pathways are robust, transparent and accountable.  While this incident is still under investigation, it is a timely reminder for public and private sector organisations that strong systems are not enough – access and control needs to evolve with them.