A major cybersecurity incident has compromised sensitive information relating to the Kudankulam Nuclear Power Plant in Tamil Nadu, India's flagship atomic facility. The ransomware group World Leaks has published an extensive collection of files on the dark web, allegedly sourced from Reliance Group, one of the plant's principal contractors. The disclosure marks a significant breach of India's nuclear security infrastructure and raises troubling questions about the protection of critical infrastructure across the region.

Kudankulam stands as India's largest nuclear power installation and forms a cornerstone of Prime Minister Narendra Modi's strategy to substantially increase the nation's nuclear energy generation. The facility currently operates multiple units and is expanding with Units 3 and 4 under construction, expected to commence operations by 2027 and generate a combined 2,000 megawatts of electricity. Reliance Group, controlled by Indian businessman Anil Ambani, serves as a contractor for the expansion project, having secured a 2018 contract to design and construct supporting infrastructure for the two new units.

Reliance Group confirmed to Reuters that a partial data breach occurred affecting servers hosted by Yotta, an Indian third-party data centre service provider. The company stated that Indian government authorities had been notified of the incident but declined to specify the scope of compromised information. The breach appears to have occurred sometime before late June, when external actors began making claims about stolen data. Yotta reported detecting suspicious activity on May 29 on a Reliance Infrastructure server, which the provider immediately terminated and stated was prevented from executing suspected ransomware, though the subsequent data theft suggests the damage had already occurred.

The World Leaks ransomware group, previously responsible for targeting multinational corporations including Nike and India's Tata Group, has posted approximately 19,000 files from a total cache of 858,000 Reliance documents on its dark web platform. Reuters reviewed the materials, dated between 2016 and mid-2025, though the outlet could not independently verify their authenticity. The disclosed documents allegedly encompass facility blueprints, supplier catalogues, meeting records, inspection reports, equipment reviews, and insurance policies related to the nuclear facility.

Nuclear security experts assess that the exposed materials pose genuine risks to facility safety and operational security. Nickolas Roth, a senior director at the Nuclear Threat Initiative, a nonprofit organisation advising governments on nuclear security matters, characterised the breach as presenting "serious" dangers. Researchers note that adversaries wielding such documentation could theoretically exploit the information to chart support systems architecture, identify critical suppliers, and discover vulnerabilities in the security supply chain. The disclosed materials apparently include proposed ventilation and cooling system blueprints for Units 3 and 4, complete floor layouts of a central control room, vendor proposals, approved supplier listings, and records of joint inspections between the Nuclear Power Corporation and Reliance.

Particularly concerning is documentation suggesting that Reliance Infrastructure and the Nuclear Power Corporation procured insurance coverage providing $112 million protection against terrorism-related incidents affecting either new unit. This detail, combined with facility layouts and supplier information, could enable hostile actors to identify critical access points and personnel responsible for various systems, thereby illuminating the security structure protecting one of South Asia's most sensitive installations.

The Nuclear Power Corporation of India, which oversees commissioning and operation of the country's atomic facilities, has engaged with Reliance regarding the breach, while India's primary cybersecurity authority, the Indian Computer Emergency Response Team (CERT-In), has launched an investigation. However, neither the Nuclear Power Corporation's chairman Rajesh Veeraraghavan, CERT-In, the government's communications office, nor the Department of Atomic Energy have provided substantive public commentary. Prime Minister Modi's office similarly declined to respond to inquiries regarding the incident.

World Leaks, the responsible ransomware group, operates according to a familiar extortion model: after stealing corporate data and demanding ransom payments, the organisation publishes stolen files on its dark web platform when companies refuse to comply. In June, the group informed Reuters it had sought $1.5 million for Tata Group materials containing confidential component designs belonging to Apple and Tesla, publishing the data after Tata reportedly disregarded the ransom demand. The group declined to respond to questions regarding the Reliance breach or ransom demands in that case.

This incident represents an alarming trend within India's cybersecurity landscape. The nation currently ranks third globally for data breaches, with 28.9 million accounts compromised during the preceding year, surpassed only by the United States and France according to cybersecurity firm Surfshark. More disturbingly, a joint report by the Data Security Council of India and cybersecurity firm Seqrite surveying 204 domestic organisations found that approximately 73 percent were uncertain whether they had experienced cyberattacks, while 57 percent lacked fundamental cyber hygiene practices. This widespread organisational blindness regarding security threats suggests that the Kudankulam incident may represent merely the visible portion of a much larger problem.

Kudankulam has previously experienced cyber incidents, though with less severe implications. In 2019, malware associated with North Korean hacker groups was detected on the plant's administrative network. The Nuclear Power Corporation stated at that time that the matter underwent immediate investigation and that core plant systems remained unaffected. That earlier intrusion demonstrated that hostile actors had already identified the facility as a potential target, making the current breach particularly troubling as it provides attackers with detailed technical knowledge of facility operations and infrastructure.

The implications extend beyond India's borders, affecting broader Southeast Asian and South Asian security considerations. As nuclear energy programmes expand across the region—with neighbouring countries increasingly pursuing atomic capacity—the Kudankulam breach illustrates fundamental weaknesses in cybersecurity resilience among nuclear infrastructure operators. The exposure of contractor documentation, supplier networks, and facility specifications creates vulnerabilities that could be exploited to disrupt operations or compromise safety systems. The incident underscores the necessity for substantially elevated cybersecurity standards, regular security audits, and enhanced information compartmentalisation across nuclear and critical infrastructure projects throughout South Asia.

Moreover, the involvement of a third-party data centre provider highlights how security weaknesses can propagate through supply chains, even when direct operators maintain reasonable protections. Yotta's claim that it prevented ransomware execution but failed to prevent data exfiltration suggests that organisations must implement more sophisticated detection and prevention mechanisms addressing data theft rather than merely execution prevention. This architectural lesson applies across the region as companies and governments increasingly rely on cloud and outsourced data storage solutions for sensitive information.