An Australia-based IT engineer has publicly identified a serious data-exposure flaw on the Department of Immigration and Emigration’s (DIE) Electronic Travel Authorisation (ETA) visa page that allows the personal details of any tourist to be retrieved using only a confirmation code, the Sunday Times reports.
Vasantha Saparamadu, who retired as a senior systems engineer at Sydney’s Macquarie University, told the paper that entering only the confirmation code on the ETA status page returns a downloadable record containing the applicant’s full name, passport number, nationality and date of birth. “Anyone with knowledge of the format of the confirmation code can automate the check with a large number of computer-generated confirmation codes, and get access to tourists’ data,” he said.
He demonstrated the seriousness of the flaw by changing only the last digit of his own confirmation code: “I just tried to see what happens if I just deduct 1 from the last digit on my confirmation code… It gave me a link to download another tourist’s data.” The fact that confirmation codes appear to be issued in consecutive order makes brute-force enumeration trivial, he warned. “Confirmation codes should never be consecutive numbers.”
Saparamadu said the fix is a routine engineering change — requiring both the confirmation code and the passport number before any record is returned. He raised the issue in October 2025 with Hans Wijayasuriya, Chief Advisor to the President on Digital Economy, and with the Information and Communication Technology Agency (ICTA) and Sri Lanka Computer Emergency Readiness Team (SLCERT). No remediation followed.
An SLCERT official told the Sunday Times the matter had been escalated to DIE. Internal sources said the department is aware of the privacy issue, but has held off on changes while the Supreme Court hears fundamental rights petitions challenging the outsourcing of the e-visa system to private contractors. SLT-Mobitel handles the ETA front-end and could fix the flaw without altering the wider ETA process, those sources added, but DIE wants prior clearance from the AG’s Department after former Controller General of Immigration and Emigration Harsha Ilukpitiya was convicted of contempt of court.
Saparamadu warned the reputational risk could be severe: “No foreigner would want to visit Sri Lanka if they became aware of the fact that their passport details could easily be accessed by hackers through the visa application website of the Sri Lanka Government.”
The disclosure follows a series of government digital security incidents, including a cyberattack on the Public Administration Ministry website and warnings about a fake Department of Registration of Persons website harvesting identity data.
