The Treasury’s Public Debt Management Office, or PDMO, lost millions of dollars in public funds to cyber fraud. The single largest fraudulent payment — nearly a million dollars — left on January 20th. That’s two months after the first warning signs, and 11 days after officials knew fraudsters had been targeting the debt repayment process and had alerted the CID and government cybersecurity team, SLCERT.
Even though cabinet mandated that all Treasury departments connect to the National Cyber Security Operations Centre last year, the PDMO still isn’t linked.
Parliament’s public finance committee, which investigated the cybersecurity breaches, found that SLCERT had written to the Treasury twice last year and twice this year urging them to connect to the cybersecurity operations centre.
“These problems arose because they didn’t connect,” a cybersecurity team official said. “For instance, if someone repeatedly tries passwords into an email we can detect it in real-time.”
Ninety percent of other Treasury departments have now connected to the cybersecurity operations centre — a process which only began after March’s cybersecurity breaches. The PDMO has also now begun to connect to it.
Last week the public finance committee confirmed the $2.5 million theft took place over three months, beginning in November last year. The PDMO, which was supposed to repay Export Finance Australia, authorised payments to an incorrect bank account after receiving “invoices” from an email address that looked similar to the correct address but didn’t have the gov.au domain.
Parliament’s finance committee found systematic institutional failures that allowed even imperfectly executed cyberfraud attempts to succeed.
As SLCERT lacks enforcement power, it depends on government agencies’ voluntary compliance. To address this gap, a new cybersecurity law is being drafted by the legal draftsman.
SLCERT hopes it will become effective this year, and if it does, will likely give the institution power to fine other government institutions for cybersecurity non-compliance. Currently, even though cabinet directed 37 critical government institutions to connect to the cybersecurity operations centre, only about eight have done so to date, the official added.
A comprehensive audit of the Finance Ministry by SLCERT and KPMG, an audit firm, in December 2024 discovered that the ministry failed to meet even “simple measures” required by the government’s own cybersecurity policy, such as the use of multifactor authentication and robust password protocols.
Adherence to the policy would very likely have made attacks more difficult and increased the probability of early detection, said Sanjana Hattotuwa, a digital governance researcher.
“Connectivity with the cybersecurity operations centre may have flagged the lookalike domains or a credential compromise earlier. These aren’t trivial protections.”
Ignored red flags
Yet compliance couldn’t have stopped failures that arose from lackadaisical institutional culture and poor process, Hattotuwa added.
Red flags of the $2.5 million fraud appeared in late November last year when the Central Bank told the PDMO that there were irregularities, including in the beneficiary address. The Bank asked them to reconfirm details with the lender. The Treasury officials went back to the fraudsters’ email thread, wrote to them reconfirming the details, and then asked the Bank to proceed.

The single largest fraudulent payment — nearly a million dollars — left on January 20th, two months after the first warning signs and 11 days after officials knew fraudsters had been targeting the debt repayment process and had alerted the CID and SLCERT.
“It defies belief, and comprehension. No cyber operations centre, at any price, monitors a human being ignoring an explicit warning already in front of them,” said Hattotuwa.