A recent post on the notorious cybercrime forum BreachForums claims that the Airport and Aviation Services Sri Lanka (AASL) has suffered a data breach. According to the post, the breached data contains approximately 7,083 records that include names, NICs, emails, passport numbers, and other sensitive data.
While the validity of the claim has yet to be confirmed, the sample data on the BreachForums post does very little to curry favor with AASL. It’s worth noting that the Airport and Aviation Services Sri Lanka has suffered a security incident on a previous occasion where a staff email was compromised. At the time, an email belonging to AASL’s safety department was briefly hijacked to send random emails to unsuspecting customers.
The rumored AASL data breach is only the latest (potential) addition to an already long list of state-related cybersecurity incidents. Whether it’s the president’s website, the Ministry of Health, or the Sri Lanka Bureau of Foreign Employment’s database, cyberattacks are a common sight around the country’s e-government infrastructure. The Sri Lankan government’s digital presence has routinely come under fire over its lackluster approach to cybersecurity, particularly as of late considering the aggressive push towards building its national digital infrastructure.
The lagging cybersecurity efforts
If anything, the AASL incident is an apt example of the need for stronger cybersecurity efforts at the government level, along with better protection for the citizenry. For instance, the Personal Data Protection Act was passed into law back in 2022. Two years later, the act has yet to come into action in any capacity. The act’s full provisions as well as the overseeing body the Data Protection Authority is set to be operational by 19 March 2025.
However, it should be pointed out that the government has taken some other steps toward upping its cybersecurity capabilities. Back in March, the Sri Lankan government approved a proposal to join the US-led anti-ransomware initiative that includes over 48 countries as members. A few months later, the government began cybersecurity capacity building for at least 1,000 government employees.
But even as the Sri Lankan government looks to formulate a National Cyber Security Strategy for Sri Lanka for 2024 – 2027, it’s still lagging behind immediate critical infrastructural needs for its own e-government initiatives. As history has shown, an incident at the scale of Airport and Aviation Services Sri Lanka’s nature will unlikely be the last. The question remains how long until Sri Lanka finally catches up to setting stronger frameworks and policies around cybersecurity.
GIPHY App Key not set. Please check settings