The Nuclear Power Corporation of India Limited (NPCIL) has officially addressed reports of a data breach involving the Kudankulam Nuclear Power Project. On July 15, 2026, the state-run operator clarified that while files related to the project were accessed by a ransomware group, the incident does not compromise the facility's nuclear safety or security systems. The leaked documents, which were posted on the dark web, reportedly originated from a third-party server managed by a contractor, Reliance Infrastructure, rather than from the plant's internal network.
NPCIL stated that the exposed information pertains strictly to the conventional balance of plant common service facilities for Units 3 and 4, which are currently under construction. These systems, which include standard infrastructure like ventilation and cooling support, are common to many industrial projects and are not integrated with the plant's sensitive nuclear reactor controls. The corporation emphasized that the core operational systems, supplied by Russia's Rosatom, remain entirely separate and untouched by the incident.
Reliance Infrastructure, which was contracted in 2018 to build infrastructure for the project, confirmed a partial data breach on a server hosted by its third-party provider, Yotta Data Services. The company reported that the suspicious activity was identified and contained, with security protocols now enhanced. Both NPCIL and the contractor have informed relevant authorities, including India's Computer Emergency Response Team (CERT-In), to conduct a thorough investigation into the extent of the exposure.
While the breach has raised public concern, officials maintain that the incident is a matter of corporate data security rather than a failure of national nuclear infrastructure. The public can expect continued monitoring as authorities review the security practices of third-party vendors involved in critical projects. For now, the focus remains on ensuring that all contractors adhere to strict cybersecurity standards to prevent future unauthorized access to project-related documentation.
