No Sensitive Data Leaked: Government Clarifies on Kudankulam Nuclear Plant Breach
The Union government has firmly denied any compromise of sensitive or nuclear safety-related data following reports of a cyberattack on the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu. Union Science Minister Jitendra Singh stated on Thursday that there was no breach of nuclear safety or security information, dismissing claims that sensitive files had been leaked.
The clarification came after reports emerged that ransomware group 'World Leaks' had allegedly accessed over 19,000 files related to the plant, including engineering documents, vendor details, and meeting records dating from 2016 to mid-2025. The Nuclear Power Corporation of India Limited (NPCIL) had earlier issued a statement clarifying that the leaked documents pertained only to the engineering, procurement, and construction (EPC) contract for the plant's conventional Balance of Plant (BoP) package.
According to NPCIL, the scope of the contract includes engineering, procurement, supply, construction, and commissioning of common service facilities. These facilities are of a conventional nature, similar to those found in thermal power plants and other process industries. The corporation reiterated that the documents do not relate to any nuclear safety or nuclear security-related systems or information.
The contract for the Balance of Plant package was awarded to Reliance Infrastructure Limited in 2018 through a public tender. Following the reports of the breach, Reliance Group acknowledged a partial data breach involving a server hosted by a third-party data centre provider, Yotta, and informed the government.
India's Computer Emergency Response Team (CERT-In) and NPCIL are currently investigating the incident. Minister Singh stated that there was no immediate need for a review as the incident had nothing to do with nuclear safety or the nuclear facility itself.
The Kudankulam Nuclear Power Plant comprises six Russian-designed VVER pressurised water reactors developed in collaboration with Russia. Units 1 and 2 are operational, while Units 3 and 4 are under construction and are expected to begin operations by 2027. Cybersecurity experts have noted that while there is no indication that reactor systems were compromised, such information could still be useful to hostile actors targeting associated infrastructure or contractors.
The government's response underscores its commitment to maintaining the security and integrity of critical national infrastructure. The investigation continues, with authorities working to determine the full extent of the breach and ensure that any vulnerabilities are addressed.