Major Breach at Kudankulam: Leaked Documents Expose Nuclear Security Risks
The leak of thousands of confidential documents from the Kudankulam Nuclear Power Plant project is not merely another cybersecurity incident—it is a grave national security failure. Nuclear installations demand the highest standards of protection because even seemingly peripheral systems can have far-reaching consequences for public safety. The exposure of sensitive technical information related to India’s largest nuclear power project raises disturbing questions about the country’s preparedness to safeguard its most critical infrastructure and whether commercial contractors entrusted with such responsibilities are subject to adequate oversight.

Among the nuclear plants operating in India today, the largest in terms of installed capacity is the Kudankulam Nuclear Power Plant in Tirunelveli district, Tamil Nadu. It comprises two Russian-built reactors, each with an installed capacity of 1,000 MW. Two additional units are currently under construction.
News has now emerged that approximately 19,000 highly valuable documents (about 14.3 GB) related to these nuclear projects have been leaked. In mid-2026, an international ransomware group posted these files on the dark web. The documents appear to have been exfiltrated from the archives of the Reliance Group, the contractor responsible for infrastructure construction at the Kudankulam Nuclear Power Plant (Units 3 and 4).
Those familiar with the matter state that the leaked documents—including blueprints for the ventilation and cooling systems, layouts of the control room floor, lists of approved suppliers, inspection reports, equipment reviews, and insurance documents—could pose significant security risks. The files date from 2016 to mid-2025. Reliance has confirmed a “partial breach” of its servers and reported that suspicious activity was detected on May 29, 2026.
It is important to understand the nature of the security threats such a leak can create.
According to Reliance spokespersons, the leaked files pertain to Units 3 and 4, which are still under construction. As such, they are not believed to pose an immediate security threat to operating units. However, the documents could enable stakeholders to identify vulnerabilities in non-core systems of these units, which are scheduled for completion in 2027, and potentially disrupt supply chains. The risk of targeted cyber attacks on these systems has also increased. Detailed information about the companies supplying critical plant machinery could further compromise the security of both the operating and under-construction units.
The security systems of nuclear plants are typically operated on highly segmented networks, making remote control extremely difficult. Nevertheless, the possibility of disruptions—particularly to cooling systems—cannot be entirely ruled out. (It is worth recalling that cooling system failures were the primary cause of the Fukushima disaster in Japan.) Experts such as Nicholas Roth, Director at the Nuclear Threat Initiative-NTI, and a specialist in nuclear safety, have described this incident as a serious lapse in plant security protocols.
The Kudankulam nuclear project has been promoted by authorities as a flagship symbol of India’s much-vaunted “nuclear renaissance.” The loss of sensitive files related to the project represents a serious security threat and could jeopardise India’s future nuclear expansion plans, especially amid existing public distrust of nuclear power plants in the local population.
Although the probability of this file leak directly compromising the physical security of the Kudankulam nuclear project remains low, it has exposed serious concerns regarding potential supply-chain sabotage and weaknesses in national cybersecurity.
It is also worth noting that this is not the first cyber incident involving the Kudankulam plant. A similar event occurred in 2019 when DTrack malware, attributed to North Korea’s Lazarus Group, infected the administrative networks and reportedly reached the domain controller. The attackers focused on data theft rather than attempting to seize control of operational safety systems. The Nuclear Power Corporation of India (NPCIL) initially denied the breach but later confirmed it.
Nuclear advocates have long ensured legal protection against the public disclosure of safety analysis reports for nuclear plants. Safety Analysis Reports (SAR) are exempted from the scope of the Right to Information Act, 2005. In a notable case between the Nuclear Power Corporation of India and prominent anti-nuclear activist Dr. S.P. Udayakumar, the Delhi High Court ruled that the requested information was exempt from disclosure under Section 8(1)(e) of the RTI Act, citing an agreement with the Russian Federation.
The petitioner had sought details related to Units 1 and 2, including the Safety Analysis Report (SAR), Site Evaluation Report (SER), and Environmental Impact Assessment (EIA) report. Although NPCIL provided the EIA report, it refused to disclose the SAR and SER, arguing that they contained proprietary reactor design information protected under the exemption.
It is now evident that much of the very information the nuclear authorities sought to withhold has been leaked on a massive scale. The security threats they cited against disclosure have thus been undermined through this breach.
Behind the central government’s push to revive nuclear projects lie ambitious plans for greater private capital participation. The government has amended the Atomic Energy Act of 1962 and the Civil Liability for Nuclear Damage Act of 2010 to attract foreign investment.
The recent leak of sensitive files also underscores the significant risks involved in the privatisation of the nuclear industry.
The Kudankulam breach should serve as a wake-up call. It demonstrates that the gravest threats to nuclear security may arise not only from hostile states or terrorist groups but also from vulnerabilities embedded in supply chains, private contractors, and weak cybersecurity practices. At a time when the Union government is expanding nuclear power and inviting greater private participation through legislative changes, this incident underscores the urgent need for far stricter security standards, greater institutional accountability, and independent oversight.
A nuclear programme cannot claim to be secure while its most sensitive information can be compromised on such a scale.





