A severe ransomware attack has struck Sri Lanka’s Department of Pensions, with the notorious CLOP ransomware group leaking over 617GB of sensitive data on the dark web. The cyber breach, first uncovered by cybersecurity firm FalconFeeds.io, is one of the most significant attacks targeting a critical government institution in Sri Lanka, responsible for managing pension schemes for public sector employees.
Attack Timeline and Scope
The attack was initially detected on April 2, 2025, when the department’s data systems were compromised. Director General Chaminda Hettiarachchi confirmed the breach, stating that immediate measures were taken in collaboration with Sri Lanka CERT to recover 100% of the compromised data.
Despite early claims, the attackers only revealed the full domain name (starting with pe*.lk) on May 26, following the partial disclosure of the department’s identity. Subsequently, a substantial volume of stolen data was uploaded to their dark web platform.
Sensitive Data Potentially Exposed
The leaked data reportedly includes institutional records and personal information of pensioners. However, the exact nature and sensitivity of the leaked files remain unconfirmed by officials. Hettiarachchi admitted that the department has not taken steps to publicly notify affected individuals, citing concerns about creating public panic.
Pension Payments Unaffected
The Director General assured that pension disbursements have not been disrupted, although he acknowledged long-standing security vulnerabilities in the department’s systems, including outdated software and hardware. He emphasized that firewalls and antivirus protections have since been strengthened.
Investigation Underway
Senior Information Security Engineer Charuka Damunupola of Sri Lanka CERT confirmed an ongoing investigation but noted that the specific data at risk has yet to be verified.
Expert Warnings and Systemic Weaknesses
Cybersecurity expert Asela Vaidyalankara warned that the incident increases the risk of fraud and identity theft among pensioners, a demographic with low digital literacy. He highlighted the risk of phishing attacks using fake calls and messages to obtain OTP codes and email credentials.
He also pointed out the lack of enforcement of Sri Lanka’s Cybersecurity Act and Data Protection Act as a major vulnerability. The Data Protection Authority, initially planned for launch by September 19, has yet to be operational, leaving no regulatory body in place to manage such incidents or hold institutions accountable.
Public at Risk, Legal Gaps Exposed
If the data protection laws were in full effect, affected individuals could seek compensation, and the department would be liable for significant fines. The lack of consequences, Vaidyalankara notes, contributes to institutional negligence in data security.
He advised children of pensioners to educate and protect their elderly family members from scams, avoid sharing personal information over phone calls, and encourage basic awareness of smartphone and social media security.