Colombo Court Orders to Block Access Over Cargills Data Leak
Local Local Home Main Story

Colombo Court Orders to Block Access Over Cargills Data Leak

April 8, 2025
madushalakmal@gmail.com
Share This

Massive data leak at Cargills Bank sparks court order to block websites—find out what was exposed.

Colombo Court Orders TRCSL to Block Websites Sharing Cargills Bank Data: A Wake-Up Call for Cybersecurity in Sri Lanka

 

What Happened?

In a dramatic move that underscores the gravity of Sri Lanka’s biggest ever data breach, the Colombo Chief Magistrate’s Court has ordered the Telecommunications Regulatory Commission of Sri Lanka (TRCSL) to block access to all websites and social media platforms sharing illegally obtained data from Cargills Bank PLC. The decision followed a petition filed by the bank after a reported breach exposed over 1.9 terabytes of sensitive customer and staff data.

Who Filed the Petition and Why?

The legal complaint was filed on April 4, 2025, by attorneys representing Cargills Bank under Section 24 of the Online Safety Act No. 9 of 2024. The case—No. 43022/1/25—targets all local Internet Service Providers (ISPs) and TRCSL. Cargills is seeking to prevent the continued online spread of its leaked internal documents and customer data.

The Cargills Bank Data Breach Incident

Timeline of Events

  • March 20 – Reports emerge of a cyberattack on Cargills Bank.

  • March 21 & 25 – Bank confirms unauthorized access but offers vague details.

  • April 2 – Official confirmation of the breach’s authenticity.

  • April 4 – Cargills files a court case and gets a blocking order.

What Was Leaked?

The hackers reportedly dumped over 1.9TB of data online—totaling more than 1.1 million files. The leaked information includes:

  • NIC and passport photos

  • Specimen signatures

  • CRIB reports

  • Internal audit reports

  • Private employee records

  • Interview evaluations

Hunters International – Who Are They?

The cybercriminal group Hunters International, known for ransomware attacks, is suspected to be behind the breach. Reports suggest they infiltrated the bank’s systems but did not immediately encrypt the data—leaving it wide open for mass theft and exposure.

The Court’s Intervention

Legal Action Under the Online Safety Act

The petition was filed under Section 24 of the Online Safety Act, which allows courts to issue orders against platforms involved in the spread of illegal or harmful online content.

Who Are the Respondents?

Respondents include TRCSL and all Sri Lankan ISPs. The order is aimed at disrupting the spread of hacked content and preventing further reputational and operational damage to the bank.

What the Court Ordered

All relevant websites, including social media accounts sharing the data, must be immediately blocked. The case has been scheduled for review on April 21.

The Impact on Customers

Sensitive Customer Info Exposed

Thousands of customers had their NICs, phone numbers, addresses, and financial records exposed. Some videos even showed individuals reading out private data aloud.

Risks of Identity Theft and Scams

This data dump is a goldmine for scammers. With so many personal details floating around, customers face risks of identity theft, forgery, and financial fraud.

Bank’s Response and Reassurance

Cargills claims it’s working with global cybersecurity experts, isolating affected systems, and enhancing security protocols. It insists core banking services remain unaffected.

Cybersecurity Failures at Cargills Bank

Unpatched Systems and Audit Warnings

Leaked internal audits from 2023–2024 paint a bleak picture. Despite repeated warnings, key issues like unpatched firewalls, missing security logs, and poor disaster recovery planning went unaddressed.

Lapses in Firewall and Access Control

Since 2022, no formal firewall access reviews were done. Some systems even lacked basic password protection.

Mismanagement of Sensitive Data

Audit reports flagged multiple instances of unencrypted storage, inconsistent patching, and unregulated USB access. One audit even noted a 26-day backup failure on critical servers.

Sri Lanka’s Cybersecurity Landscape

A Pattern of Breaches

This isn’t the first. In 2023, PayHere—a payment gateway—suffered a massive breach, exposing 65GB of data. But Cargills’ breach overshadows it entirely in volume and severity.

Where’s the Personal Data Protection?

Although the Personal Data Protection Act (PDPA) was passed in 2022, enforcement has lagged. It was supposed to be in full force by March 2025—but little has changed on the ground.

Why Regulation Alone Isn’t Enough

Laws mean nothing without implementation. What’s needed is cyber accountability, public transparency, and real-time enforcement.

Public Response and Backlash

Journalists and Digital Activists Speak Out

Digital rights activists criticized the bank’s silence. Many accused Cargills of hiding the true scale of the incident.

Social Media Storms and Silence from Cargills

It took one viral tweet from user @dinidu to bring public awareness. The bank’s initial reaction? Three generic posts with no details.

“Gedara Yana Gaman” Attitude

Critics say Cargills’ response reflects a culture of brushing issues under the rug until public outrage forces action.

Consequences for the Banking Sector

Eroding Public Trust in Banks

If a major player like Cargills can be so easily breached and fail to inform stakeholders, what about smaller banks?

What This Means for Financial Digitalization

Sri Lanka’s push for digital finance now faces a hurdle—public trust. No one will embrace digital services without strong data protections.

The Role of TRCSL and ISPs

Enforcing Online Safety Act

This is a test of TRCSL’s power. Can it effectively block access to leaked data across all platforms?

Censorship vs. Data Transparency

While stopping harmful content is essential, total censorship can suppress important discussions about accountability.

Lessons Learned and the Way Forward

Investing in Real Cybersecurity

Banks and public institutions must move beyond compliance checklists and truly invest in cyber resilience.

The Importance of Transparency

Hiding breaches only makes things worse. Openness builds trust. Silence, meanwhile, fuels speculation and fear.

Empowering the Public with Information

Customers deserve to know what happened to their data—and how to protect themselves in the aftermath.

The Cargills Bank data breach is more than just a cyberattack—it’s a wake-up call for the entire nation. It exposes gaps not only in technical defenses but also in transparency, accountability, and public communication. As the legal system steps in to control the narrative, one question remains: How much personal data needs to be violated before we take digital safety seriously?

FAQs

1. What is the Online Safety Act of 2024?

It’s a Sri Lankan law designed to combat harmful online content, including data leaks, hate speech, and misinformation.

2. How can I check if my data was breached?

There’s no official site yet, but if you bank with Cargills, contact customer service and monitor your financial activity closely.

3. What steps should affected customers take?

Update your banking passwords, freeze your credit if necessary, and report any suspicious activity to the authorities.

4. Why is this breach significant for Sri Lanka?

It’s the largest known data breach in Sri Lanka’s history—affecting both financial and personal data on a massive scale.

5. Can TRCSL block international websites?

TRCSL can block access within Sri Lanka, but international sites can only be restricted with cooperation from foreign hosts and platforms.