Leaked documents from the recent Cargills data breach suggest that the company may have been warned about its lagging security measures almost a year ago. The details came to light after a data dump reportedly belonging to Cargills Bank was made public online.
On March 20, a social media post claimed that the notorious ransomware group Hunters International had breached Cargills Bank. The bank shortly confirmed the attack, though it didn’t offer any specifics. A few days later, the ransomware group released the data, amounting to over a million files in 1.9 terabytes.
The extent of the breach
This data dump includes a slew of sensitive information ranging from customer and employee details to CRIB reports. However, it was only after user @dinidu tweeted findings from the Cargills data breach that the severity of the breach became clear.
The leaked data has thousands of customers’ NIC photos, along with phone numbers and account numbers. There is an entire database of the bank’s 500+ staff, as well as details of prospective and former employees. One file even lists why certain interviewees were selected or rejected, with reasons varying from attitude problems to being pregnant, of all things.
Further, the Cargills data breach includes a host of audit reports from the recent few years. Some of these reports appear to point out alarming security issues within the bank.
Security lapses
For instance, a network infrastructure audit report dating June 20, 2024 specifically highlights Cargills Bank’s poor firewall management. The audit points to employees bypassing its web filtering controls and incomplete forwarding to firewall change logs.
Reportedly, there also haven’t been any user access reviews for firewalls since 2022. It goes on to state that gaps and vulnerabilities found in a 2021 high-risk firewall review remain unaddressed. The same report also mentions the bank doesn’t have a Privileged Access Management solution.
Another document lists further security lapses at Cargills Bank. According to a 2024 Data Leakage and Loss Prevention Review memo, some of the bank’s other data security issues include:
- Sensitive data shared among recipients with no password protection
- No proper data retention and deletion policies for cardholder and other personal data
- Inconsistency in updating and patching systems
- Ineffective backup restoration process
- Stored sensitive personal data is improperly encrypted
- No audit trail to track and monitor downloads within the bank’s core system
- Access controls around USB drives aren’t regulated
Unfortunately, it doesn’t end there. In July 2023, Cargills Bank reportedly suffered a critical system failure. According to a leaked document, the cause was traced back to a hardware issue. The audit team found that the disaster recovery server lacked two-factor authentication and had no backup system for 26 days. As the report put it, “the bank was in an exceedingly vulnerable situation of ‘Single Point of Failure’ [SPOF].”
Another audit report from 2023 talks about an unauthorized access incident at its Wattala branch. This is where two individuals allegedly gained entry in the middle of the night in 2023. The report also claims electrical equipment such as security alarms, CCTV, and PC networks would malfunction owing to pest infestations (rats in the building).
The “gedara yana gaman” response
These reports paint a damming picture, at least where data security at Cargills Bank is concerned. The 2024 report warned that the bank will be at risk of unauthorized access, security breaches, and service interruptions if the issues are left unaddressed. Essentially, the Cargills data breach was a matter of when, not if.
More importantly, the bank has yet to disclose the true extent of the breach to consumers and stakeholders like its clientele and the Colombo Stock Exchange. Dinidu, who initially tweeted about the leak, alleges that the company refused to answer any questions regarding the Cargills data breach. ReadMe also reached out for comments and got similar results.
The bank did eventually issue follow up statements. On March 25, its official response stated that it “isolated the suspected components” and is enhancing security while investigating the incident with the help of “internationally recognized cybersecurity specialists.” It also mentioned that the bank has reported the incident to relevant regulators and law enforcement.
On April 2, Cargills Bank issued another statement. This time, the bank finally confirmed the authenticity of the leak. It clarified that the bank is cooperating with ongoing investigations and will be reaching out to affected stakeholders individually. Cargills Bank claims “core operations remain fully secure” and that “customers may carry out their transactions with complete confidence.” Unfortunately, evidence says otherwise.
By April 4, Cargills Bank PLC reportedly got a court order against Sri Lanka telecom operators barring access to the data dump URL and any information regarding the breach. The court order was obtained under the Online Safety Act.
Where’s my personal data protection?
The Cargills data breach is the biggest known breach in Sri Lanka to date. To put it in context, the previous biggest reported data breach was PayHere, where 65GB of data was leaked online, amounting to over 1.5 million compromised records.
Further, Sri Lanka’s biggest data breach comes at the same time as the government pushes for amendments to the Personal Data Protection Act (PDPA). Ironically, a document from the Cargills data breach dated April 25, 2024, indicates the bank may have been looking into compliance with the PDPA.
The act was to come into full effect by March 19, following the appointment of the Data Protection Agency. But despite being codified into law in 2022, nothing has materialized apart from the amendments.
Time and time again, numerous cybersecurity incidents have showcased it’s pertinent the PDPA is enforced without delay. This has been in the works since at least 2019, and it was finally passed into law three years later. No,w it’s April 2025, and Sri Lanka has seen its biggest data breach. Two massive data breaches, both to financial institutions within three years with zero consequences.
Shaming into accountability
Ideally, it shouldn’t have taken one tweet storm for Cargills to acknowledge the data leak beyond the initial “cybersecurity event involving unauthorized access.” In fact, a publicly listed bank refusing to disclose the extent is negligent and incriminating at the very least. At least PayHere took accountability and communicated its preventive security measures well after its incident.
The Cargills data breach exposed thousands of customer and staff personal details. Some of these are videos where customers read out their full name, address, and show both sides of their ID. With scams getting ambitious in recent years, this only amplifies the current climate. It also has hundreds of document scans of customer signatures. It wouldn’t take much for a malicious actor to commit forgeries. The breach even includes details of the bank’s business dealings with its clientele.
It’s ironic given that Cargills Bank PLC’s own 2024 annual report stated cybercrime and cybersecurity as a key risk indicator. The same report went on to claim it prioritizes “cybersecurity, data privacy, and risk management.”
Sri Lanka has seen plenty of wake-up calls when it comes to data privacy and security violations in the last few years alone. But the best the public got from the biggest data breach in Sri Lanka were three vague social media posts from the responsible party.
Shaming into accountability isn’t a viable future, particularly given the emphasis for digitalization in the country. So, it’s worth asking how far data privacy needs to be violated for regulations and accountability to really matter.
Update: Added context around Cargills Bank’s court order barring access to any information about teh breach.
GIPHY App Key not set. Please check settings