A data breach at the Kudankulam nuclear project has leaked over 19,000 sensitive files, reportedly accessed by the World Leaks ransomware group. The incident has caused “absolute commotion” among senior officials, even as some leaders claim the files are not related to plant safety.

Key Takeaways

  • 19,000 highly sensitive KKNPP files accessed by World Leaks ransomware
  • Leak originated from a Yotta server hosted by Reliance Infrastructure
  • NPCIL and CSIRT have launched investigations amid heightened security concerns

Kudankulam Nuclear Power Project (KKNPP), poised to become India’s largest nuclear park with a total capacity of 6,000 MW, is currently constructing four additional VVER units using Russian technology. Over 19,000 files spanning engineering blueprints, vendor lists, operational records, and insurance policies—dated between 2016 and mid‑2025—were reportedly accessed by the notorious ransomware group World Leaks.

Source of the Breach and Immediate Response

According to Reuters, the breach stemmed from a server operated by third‑party cloud provider Yotta, which belongs to the plant’s contractor, Reliance Group (Anil Ambani). Reliance has acknowledged a “partial breach” but has not disclosed the exact nature of the compromised data. The Nuclear Power Corporation of India Limited (NPCIL) and the Computer Emergency Response Team (CSIRT) have immediately begun a joint investigation.

Historical Context and Potential Impact

This is not the first cyber‑security incident at KKNPP. In 2019, a North Korean‑origin malware infected its administrative network, which was then dismissed as “unbreachable.” The current leak, however, includes detailed schematics of control, cooling, and ventilation systems—information that could enable adversaries to map critical support structures and identify vulnerabilities.

Reliance’s Role and Industry Reaction

Reliance Infrastructure secured the contract in 2018 to build infrastructure for reactors 3 and 4. The breach highlights gaps in risk management for private‑public partnerships, prompting calls for stricter security clauses, mandatory encryption, multi‑factor authentication, and regular penetration testing across all contractor‑hosted systems.

Regulatory Outlook and Next Steps

While a senior NPCIL official asserted that “the leaked files are not related to KKNPP plant safety or nuclear safety,” analysts argue that the distinction is largely semantic, given the files’ relevance to overall plant operations. The Indian government has classified the incident under national security and instructed intelligence agencies to act swiftly. Ongoing investigations will determine whether additional safeguards—such as air‑gapped networks and real‑time threat intelligence—are to be mandated for future nuclear projects.