Sri Lankan e-commerce platform Wishque suffered a data breach early this month. On 4 April, a data dump claiming to belong to wishque.com was published online. According to the post, the online platform was breached back on 30 March. This allegedly compromised 19.7 million records which includes customer emails and phone numbers.
According to the post, these records also include credit card data (name, number, expiration date). But the full numbers appear to be obfuscated. Further, the post itself claims that the data dump includes a lot of temporary/fake emails.

Wishque response
Nearly a month after the incident, Wishque issued a public statement shortly following a viral Facebook post. The company states that the data breach claim “stems from a breach of a test database used strictly for development purposes.” It further mentioned that this refers to “scrambled data” used for testing and system development. However, the sample data in the breach suggests otherwise.
Later, the company followed up with a detailed update. Wishque says its hosting partner, Amazon Web Services, verified that neither its live customer database nor production environment suffered a data breach.
However, the company confirmed that the leaked test database has “limited real customer data” following a forensic analysis. According to Wishque, this affected only customers who used the site’s wishlist feature.
The leaked data also includes partial credit card information. Wishque states that no full credit card numbers, CVVs, passwords, or billing details were stored in the database. “All transactions are securely processed through trusted third-party payment gateways provided by banks and leading international payment platforms,” the company further said.
The notice goes on to mention that Wishque will notify all affected individuals via phone/email. It’s also engaging third-party cybersecurity experts “to strengthen all environments.”

A continuing lackluster attitude
The incident comes just a month after the Cargills Bank data breach, arguably Sri Lanka’s biggest breach to date. Security incidents have seen a noticeable uptick in Sri Lanka’s online space, both in the public and private sectors. Sri Lanka CERT reported at least 142 security incidents (ransomware, DoS/DDoS, phishing, website breaches, and server compromises) during 2024 alone.

Despite the alarming situation, legislation around data privacy and security have been languishing for years. The Personal Data Protection Act was passed into law in 2022 but remains ineffective due to lack of provisions for the Data Protection Agency. The cybersecurity bill has been in the works for year and has still not seen any meaningful progress.
It also doesn’t help that the general response has been poor, often resorting to a little more than an ambiguous acknowledgment, if at all. For instance, Cargills Bank issued four public statements following the breach, but has yet to publicly communicate the extent of its data breach. On the other hand, Wishque provided a more detailed explanation of its incident. But the disclosure only came after a viral Facebook post, nearly a month later.
GIPHY App Key not set. Please check settings