India – Kudankulam nuclear plant data breach raises security concerns

Friday, July 17, 2026
5 mins read
Kudankulam nuclear plant data breach
Photo Credit: Reuters

The Kudankulam nuclear plant data breach reportedly exposed blueprints, inspection records and supplier details linked to two units under construction, but Indian authorities maintain that no nuclear safety or security systems were compromised.

The Kudankulam nuclear plant data breach has raised concerns about cybersecurity across India’s critical infrastructure after a ransomware group published thousands of files allegedly connected to the country’s largest nuclear power facility.

World Leaks, a ransomware and data extortion group, reportedly uploaded nearly 19,000 files containing references to the Kudankulam Nuclear Power Plant in Tamil Nadu. The documents totalled approximately 14.3 gigabytes and had been available on the group’s dark web platform since June 11.

The files were allegedly obtained from Reliance Group, whose subsidiary Reliance Infrastructure was contracted to develop common infrastructure for Units 3 and 4 of the nuclear project. Reliance acknowledged that a partial breach had occurred on a third-party server but did not disclose the complete nature of the compromised material.

Kudankulam nuclear plant data breach linked to contractor

The reported incident appears to have affected a server containing Reliance Infrastructure data rather than the operational computer systems of the nuclear facility.

Reliance Infrastructure secured an engineering, procurement and construction contract in 2018 for common service facilities supporting Units 3 and 4. The two units remain under construction and are designed to add a combined 2,000 megawatts of generating capacity.

The Nuclear Power Corporation of India Limited, which operates the facility, said the information reportedly made public related only to conventional Balance of Plant common service facilities.

Balance of Plant systems generally include supporting infrastructure outside the primary nuclear reactor island. NPCIL said the files did not relate to nuclear safety, nuclear security or other sensitive reactor systems. The corporation published an official clarification on July 16 stating that the alleged leak involved drawings and data associated with common service facilities.

India’s Minister of State for Atomic Energy, Jitendra Singh, also said no sensitive information had been exposed. He maintained that the incident had no connection with the plant’s nuclear safety or security systems and did not create an immediate requirement for a broader safety review.

What files were reportedly exposed?

The published material purportedly included engineering drawings, supplier information, equipment reviews, inspection records, meeting documents and insurance policies.

Some files appeared to contain drawings of ventilation and cooling infrastructure for Units 3 and 4, together with the layout of a common control room. Other documents reportedly identified suppliers involved in the construction project and contained photographs taken during equipment inspections.

The documents were dated between 2016 and mid-2025. Journalists who examined the files could not independently verify their authenticity, meaning the precise scope and sensitivity of the material remain uncertain.

The 19,000 files associated with the search term “KKNP” appeared to form part of a significantly larger collection of about 858,000 Reliance-related files published by World Leaks.

While the documents did not appear to contain information about reactor core systems, cybersecurity experts warned that details about supporting infrastructure, suppliers and personnel could still be valuable to hostile actors.

Such information could potentially help an attacker understand how a project is structured, identify companies with authorised access or determine which contractors possess additional sensitive data. However, there is currently no public evidence that the files have been used to interfere with the plant or its construction.

Reliance Infrastructure data breach traced to external server

The suspected Reliance Infrastructure data breach involved a server operated by Indian data centre provider Yotta.

Yotta said it detected suspicious activity on May 29 and immediately terminated it. The company said an attempted ransomware execution had been prevented, but Reliance Infrastructure later informed it that external actors were claiming to possess stolen data.

The data centre provider said it had not independently verified the ransomware group’s claims. It nevertheless conducted a technical investigation, shared its findings with Reliance Infrastructure and continued to support the inquiry.

Reliance said it had informed the Indian government about the partial breach. The Indian Computer Emergency Response Team, commonly known as CERT-In, was also reported to be examining the incident.

The different timelines presented by the companies leave important questions unanswered, including when the files were extracted, how the attackers obtained access and why documents appeared online despite the reported prevention of ransomware execution.

Stopping ransomware software from encrypting a server does not necessarily mean that data exfiltration has been prevented. Many modern ransomware groups steal information before attempting to encrypt computer systems, allowing them to threaten publication even when the encryption process fails.

World Leaks ransomware group uses data extortion

The World Leaks ransomware group follows a model in which corporate data is stolen and published if a targeted organisation refuses to meet an extortion demand.

The group has previously claimed attacks involving multinational companies, including Nike and India’s Tata Group. In June, it said it had demanded $1.5 million before publishing Tata-related files that allegedly included component designs linked to major international clients.

World Leaks did not publicly respond to questions concerning the Reliance data. Its dark web platform can only be accessed through specialised software and is used to advertise or publish information allegedly taken from targeted organisations.

The publication of contractor documents demonstrates how cyber threats to nuclear facilities can emerge outside a plant’s protected operational network. Attackers may target engineering companies, suppliers, data centres or professional service providers that hold information about critical projects.

This supply chain risk means India nuclear plant cybersecurity cannot be limited to reactor systems alone. Contractors and vendors with access to project documents must also maintain security standards proportionate to the sensitivity of their work.

Core reactor systems reportedly remained isolated

NPCIL has emphasised that the affected data was unrelated to nuclear safety and security systems. The documents also did not appear to concern the core reactor technology, which is supplied by Russia’s state-owned nuclear company Rosatom.

Kudankulam’s two operational VVER-1000 reactors each have a capacity of 1,000 megawatts. Unit 1 entered commercial operation in December 2014, while Unit 2 followed in March 2017. Together, they have an operating capacity of 2,000 megawatts.

Units 3 and 4 are being constructed as part of the facility’s expansion and are also designed as 1,000-megawatt reactors. Units 5 and 6 are at different stages of development, with the overall Kudankulam complex planned to reach 6,000 megawatts.

NPCIL states that Indian nuclear power stations follow a defence-in-depth approach involving redundant, diverse and independent safety systems. The company is responsible for the design, construction, commissioning and operation of India’s commercial nuclear reactors.

However, separating reactor controls from public networks does not eliminate every cybersecurity risk. Construction documents, access information, supplier records and supporting systems may remain stored on external corporate networks.

Kudankulam cyberattack follows 2019 incident

The latest Kudankulam cyberattack concerns follow an earlier malware incident reported at the facility in 2019.

Malware associated with a North Korean-linked hacking group was discovered on an administrative computer connected to NPCIL’s corporate network. Authorities said at the time that the infected administrative system was separate from the plant’s internal operational network and that reactor systems were not affected.

The 2019 incident and the latest contractor data leak are technically different. The earlier case involved malware found within an NPCIL administrative network, while the 2026 incident appears to involve data obtained from infrastructure connected to an external contractor.

Both cases nevertheless demonstrate the broader security challenges created by the large number of organisations and computer systems involved in nuclear construction and operation.

India critical infrastructure security faces wider challenge

The reported nuclear power plant data leak comes as Indian organisations face growing ransomware, espionage and data theft threats.

Critical infrastructure projects typically rely on extensive networks of construction companies, equipment manufacturers, consultants, insurers and technology providers. Each organisation can hold information that may be useful to cybercriminals or hostile intelligence actors.

Security measures therefore need to cover the complete information supply chain. These may include strict controls on contractor access, data classification requirements, encryption, network monitoring, regular security assessments and rapid reporting of suspicious activity.

The Kudankulam incident has not been shown to have affected electricity generation, reactor operations or nuclear safety. Indian authorities have also rejected claims that sensitive nuclear systems were exposed.

Nevertheless, the apparent publication of thousands of documents connected to a major nuclear project highlights the difference between protecting operational technology and securing the wider network of contractors supporting critical infrastructure.

A full assessment by NPCIL, CERT-In, Reliance Infrastructure and Yotta will be necessary to establish which files were taken, how the attackers obtained them and whether additional security measures are required across companies participating in India’s nuclear energy programme.

Published in SouthAsianDesk, July 17, 2026
Follow SouthAsianDesk on XInstagram and Facebook for insights on business and current affairs from across South Asia.

Leave a Reply

Your email address will not be published.