A partial data breach on a third-party server hosting Reliance's information has led to leaked files related to the Kudankulam Nuclear Power Plant project surfacing on the dark web. The breach highlights vulnerabilities within critical infrastructure ecosystems and underscores evolving data protection challenges in India.

  • Reliance confirms partial data breach with leaked files on dark web
  • Leaked data includes material linked to Kudankulam Nuclear Power Plant project
  • India’s mandatory breach disclosure rules not operational until May 2027

What happened

Reliance experienced a partial data breach involving a server managed by Mumbai-based third-party provider Yotta. A significant volume of data was leaked and made publicly accessible on a ransomware group's dark web site. Among the files exposed were those related to the Kudankulam Nuclear Power Plant in Tamil Nadu, where Reliance holds a contract for work on nuclear reactors.

Independent cybersecurity researchers first identified the leak in early June 2026, revealing over 19,000 files amounting to 14.3 GB, and a broader set of files totaling over 1.2 TB and more than 850,000 documents. Reliance has confirmed the breach but has not detailed the nature of the compromised data. Indian cybersecurity agencies including CERT-In and NPCIL are engaged in investigating the incident.

Why it matters

The exposure of files connected to a sensitive nuclear power project raises serious national security and operational concerns. Kudankulam is a critical infrastructure asset, and any unauthorized data access potentially risks compromising safety protocols or confidential project details.

This breach also illustrates the growing threat ransomware groups pose to Indian corporations and sensitive sectors. With India's data protection framework still evolving, mandatory breach notification rules under the Digital Personal Data Protection Rules are not due to take effect until May 2027, delaying regulatory transparency and response requirements.

What to watch next

Authorities’ ongoing investigation outcomes will be key to understanding the breach’s full impact and any steps Reliance and NPCIL will take to secure sensitive information. The incident may accelerate calls for immediate operationalization of India's data breach notification rules to improve transparency and accountability.

Additionally, monitoring similar attacks on other Indian corporations, such as the recent Tata Electronics data leak, will provide context on the cybersecurity risks faced by critical industry players. Enhanced cybersecurity measures and timely policy implementation are likely to be prioritized by both private sector and government stakeholders.

Source assisted: This briefing began from a discovered source item from MediaNama. Open the original source.
How SignalDesk reports: feeds and outside sources are used for discovery. Public briefings are edited to add context, buyer relevance and attribution before they are published. Read the standards

Related briefings