Home / Editorial

Constitutional Law

How Serious is the Kudankulam Data Leak?

    «
 17-Jul-2026

    Tags:
  • Constitution of India, 1950 (COI)

Source: The Hindu 

Introduction 

Reports emerged that multiple gigabytes of data pertaining to operations at the Kudankulam Nuclear Power Plant in Tirunelveli district, Tamil Nadu, had been copied and subsequently leaked as part of a ransomware attack. The breach was reported to be part of a wider infiltration into Reliance Anil Dhirubhai Ambani Group's Reliance Infrastructure Ltd, and involved 14.3 GB of data on the power plant's operations. The data was hosted on World Leaks, a Dark Web site operated by cybercriminals who infect vulnerable firms with ransomware and threaten to leak data if a ransom is not paid, out of an overall leaked dataset of 1.2 TB. 

Was the Reactor Affected by the Data Leak? 

  • The Nuclear Power Corporation of India Limited (NPCIL) stated that the leaked files do not pertain to the core reactor's operations, which remain the most sensitive component of a nuclear setup. 
  • NPCIL reiterated that the information claimed to be available in the public domain relates only to conventional Balance of Plant (BOP) common service facilities and does not concern any nuclear safety or nuclear security-related systems or information. 
  • A Reliance Group spokesperson said the company was informed by Yotta Data Services Private Limited, its third-party data centre service provider, of a cybersecurity incident involving an attempted ransomware attack that resulted in a partial breach of data hosted on one of Yotta's servers. 
  • Yotta confirmed that enhanced security monitoring and preventive controls are now in place, and the company has directed Yotta to conduct a detailed investigation and submit a report. 
  • Reliance stated in a stock exchange filing that no ransomware execution or data loss or lateral movement occurred. 
  • The leaked files reportedly included multiple drawings, blueprints and supplier details, meeting and inspection records, and equipment reviews, along with reference to a $112 million insurance policy against terrorist attacks, though the applicable premium amount remains unclear. 

What Did Yotta Say About the Cyber Incident? 

  • Yotta, which operates data centres across the country, characterised Reliance as its "customer's private cloud environment," but stated that it had taken steps to address the infiltration once it was detected on May 29. 
  • The company said its managed endpoint security controls detected suspicious activity on a file server belonging to its customer, Reliance Infrastructure. 
  • Yotta stated that it acted immediately, terminating the suspicious process and isolating the affected server, thereby preventing the suspected ransomware from executing. 
  • Its technical assessment confirmed no evidence of ransomware encryption and no lateral movement to any other server or system within the customer's private cloud environment. 
  • The incident was reported to be limited to the single customer-managed server, with no impact on any other Yotta customer or on Yotta's shared cloud platforms, AI cloud infrastructure, datacentre infrastructure, or other services. 

Why Does the Data Leak Matter? 

  • The revelations reportedly sparked considerable concern among top officials at the power plant, even as they sought to downplay the impact of the findings. 
  • The plant has commissioned two 1,000 MWe VVER reactors, together providing a power supply of up to two gigawatts. 
  • These reactors have been built in partnership with the Russian firm Rosatom, and the government is reported to be planning four additional such units, which would triple the installed power production capacity at the facility. 
  • Given the scale and strategic significance of the facility, any breach touching its operational ecosystem — even one confined to non-core, third-party-managed systems — raises broader concerns about the cybersecurity posture surrounding critical national infrastructure. 

Conclusion 

While NPCIL and Reliance Infrastructure have maintained that the leaked data pertains only to non-sensitive Balance of Plant facilities and not to the Kudankulam plant's core reactor or nuclear security systems, the incident underscores the vulnerabilities that can arise through third-party data centre providers connected, even peripherally, to critical infrastructure. With the facility's power capacity set to expand significantly through additional reactor units planned in partnership with Rosatom, the episode highlights the need for robust cybersecurity oversight across the entire supply chain supporting India's nuclear energy infrastructure.