14.3 GB Kudankulam Nuclear Data Leak Exposes Supply Chain Risks for India’s Energy Expansion
Key Takeaways
- A ransomware breach at a contractor for India’s largest nuclear plant has exposed 19,000 engineering and supplier files on the dark web, raising alarms about security gaps that could undermine the country's ambitious nuclear energy growth plans.
Mentioned
Key Intelligence
Key Facts
- 119,000 files totaling 14.3 gigabytes of data from India’s Kudankulam nuclear plant were posted on the dark web by the ransomware group World Leaks.
- 2The leaked data includes construction blueprints, supplier directories, meeting minutes, and equipment inspection records spanning 2016 to 2025.
- 3The breach occurred on servers operated by third-party data center provider Yotta Data Services, not on plant or Reliance Group core systems.
- 4The Nuclear Power Corporation of India Limited asserted the incident ‘does not relate to any nuclear safety or nuclear security-related systems’.
- 5Reliance Group confirmed a limited cybersecurity incident and reported it to India’s CERT-In for investigation.
- 6The Washington-based Nuclear Threat Initiative warned that even non-operational data exposure poses ‘serious’ risk to plant safety.
Analysis
For climate and energy professionals, the breach highlights a blind spot in the push for low-carbon baseload power. As India fast-tracks new reactors at Kudankulam, the 14.3 GB data dump reveals how third-party cybersecurity gaps can cascade into strategic risks, potentially delaying reactor deployments and shaking investor confidence in nuclear infrastructure projects.
The discovery of 19,000 files—14.3 gigabytes of data—from India’s Kudankulam Nuclear Power Plant on a dark web portal operated by the ransomware group World Leaks marks a significant escalation in the targeting of critical infrastructure supply chains. The files, attributed to Reliance Group, a key contractor for the plant’s Units 3 and 4, reportedly include construction blueprints, supplier directories, equipment inspection records, and meeting minutes spanning 2016 to 2025. The breach, first identified in June 2026 by cybersecurity researcher Rakesh Krishnan, occurred not on the plant’s operational technology networks but on servers operated by Yotta Data Services, a third-party data center provider used by Reliance Group. This distinction is central to understanding both the incident’s severity and the official response.
The files, attributed to Reliance Group, a key contractor for the plant’s Units 3 and 4, reportedly include construction blueprints, supplier directories, equipment inspection records, and meeting minutes spanning 2016 to 2025.
Reliance Group has characterized the incident as a ‘partial breach’ confined to the Yotta-hosted environment and insists its core systems were unaffected. The Nuclear Power Corporation of India Limited (NPCIL) stated categorically that the breach ‘does not relate to any nuclear safety or nuclear security-related systems.’ However, the Washington-based Nuclear Threat Initiative warned that even non-operational data exposure poses a ‘serious’ risk to plant safety, pointing to the potential for adversaries to map plant layouts, identify supply chain dependencies, and plan physical or cyber-physical attacks.
The dichotomy highlights a persistent blind spot in critical infrastructure security: while nuclear operators maintain robust defenses around reactor controls and safety systems, the sprawling ecosystem of contractors, subcontractors, and cloud service providers often operates with far fewer protections. Reliance Infrastructure, a Reliance Group company, won a contract in 2018 to develop infrastructure for Kudankulam Units 3 and 4, which are expected to become operational by 2027. The leaked documents, therefore, likely contain detailed engineering and logistics information tied to these under-construction units, expanding the exposure from current operations to future capacity.
The World Leaks group exemplifies the ransomware-as-a-service model, combining encryption attacks with data exfiltration and public shaming on dark web leak sites when extortion demands aren’t met. The group’s tactics mirror those of well-known ransomware collectives that have increasingly targeted industrial sector vendors. In this case, the data dump appears to stem from a breach at a data center, not through direct infiltration of Reliance’s internal networks, reinforcing the growing risk of downstream cyber incidents across cloud supply chains.
India’s computer emergency response team, CERT-In, is now investigating. The incident arrives amid an ambitious national nuclear energy expansion plan, with Kudankulam—India’s largest nuclear power complex—at its core. The planned addition of Units 3 and 4, with two more units in the pipeline, underscores the strategic importance of the facility. A breach of this nature could not only expose sensitive project data but also erode public confidence and invite heightened regulatory scrutiny, potentially delaying project timelines or increasing compliance costs.
From a threat intelligence perspective, the publication of thousands of files on a public dark web forum gives nation-state and non-state actors alike open-source access to engineering schematics and supplier networks. Even if NPCIL’s statement about no compromise of safety systems is technically accurate, the aggregation of such granular infrastructure data over a nine-year period could enable sophisticated threat actors to identify vulnerabilities or plan social engineering attacks against personnel and vendors.
What to Watch
The incident also raises questions about the due diligence frameworks applied to contractors handling sensitive nuclear data. While Yotta Data Services is a prominent Indian data center operator, the security posture of its platforms, the segmentation of tenant environments, and the breach response capabilities have not been publicly detailed. This opacity is symptomatic of a broader challenge in critical infrastructure supply chains, where risk often cascades silently until a public leak forces scrutiny.
Moving forward, the Kudankulam breach will likely accelerate calls for mandatory supply chain cybersecurity standards for the nuclear energy sector, including mandatory breach notification, third-party risk assessments, and continuous monitoring of contractor environments. For India, the incident presents both a cautionary tale and an opportunity to strengthen the digital resilience of its expanding nuclear fleet before more reactors come online.
Sources
Sources
Based on 2 source articles- Akihito Muranaka (in)India’s Kudankulam Nuclear Plant Contractor Hit by Ransomware Data BreachJul 17, 2026
- (in)Kudankulam nuclear power plant ‘data’ on dark webJul 16, 2026
Cite This Page
"14.3 GB Kudankulam Nuclear Data Leak Exposes Supply Chain Risks for India’s Energy Expansion." Climate Intelligence Brief, July 17, 2026. https://getclimatebrief.com/story/kudankulam-data-leak-nuclear-energy-supply-chain
How we covered this story
Every story in our climate coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.
Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the climate space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.
| Signal on this page | What it tells you |
|---|---|
| Verified by N sources | Independent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly. |
| Impact score (1-10) | Regulatory + financial + operational weight. 8+ signals an experienced-operator action item. |
| Sentiment | Five-tier classification trained on labeled climate-specific corpora. |
| Timeline | Where applicable, the related-events sequence that contextualizes today's development. |