Nuclear Power Corporation of India Limited (NPCIL) has denied that the reported cyber incident involving files linked to the Kudankulam Nuclear Power Project (KKNPP) compromised any nuclear safety or security systems. The clarification comes after reports that a ransomware group had leaked thousands of files allegedly obtained from the systems of Reliance Infrastructure, a contractor involved in the project’s expansion.

According to NPCIL, the information circulating in the public domain relates only to conventional Balance of Plant (BoP) common service facilities, which are used in support infrastructure and are not part of the plant’s nuclear safety or security systems. The corporation emphasized that the incident has no impact on the safe operation of the nuclear facility.

NPCIL Rejects Claims of Sensitive Nuclear Data Breach

The state-owned nuclear operator sought to reassure the public following reports of leaked project documents.

Key HighlightsDetails
OrganizationNuclear Power Corporation of India Ltd (NPCIL)
FacilityKudankulam Nuclear Power Project
NPCIL’s positionNo breach of nuclear safety or security systems
Reported leaked dataBalance of Plant (BoP) project documents
InvestigationOngoing

NPCIL said the leaked material, if authentic, concerns conventional infrastructure rather than reactor operations or nuclear security.

What NPCIL Said

In its statement, NPCIL explained that:

  • The exposed information relates only to Balance of Plant (BoP) facilities.
  • BoP systems include conventional engineering infrastructure common to many power plants.
  • No nuclear reactor safety systems were compromised.
  • No nuclear security-related information was exposed.
  • Plant operations remain safe and secure.

The corporation stressed that there is no impact on reactor safety or nuclear operations.

What Is the Balance of Plant?

Balance of Plant refers to the conventional infrastructure that supports power generation but is separate from the reactor itself.

Examples include:

  • Common utility systems.
  • Conventional engineering facilities.
  • Supporting infrastructure.
  • Auxiliary mechanical and electrical systems.

NPCIL noted that these facilities are similar to those used in thermal and other industrial power plants and are distinct from nuclear safety systems.

Background of the Incident

DevelopmentDetails
Alleged sourceSystems linked to contractor Reliance Infrastructure
Threat actorRansomware group “World Leaks”
Reported leaked filesEngineering drawings, supplier information and project records
Official investigationOngoing

Earlier reports stated that the ransomware group claimed to possess nearly 19,000 files connected to the Kudankulam expansion project. Reliance Infrastructure acknowledged a partial breach involving one of its servers, while maintaining that investigations are continuing.

How NPCIL Says Project Documents Are Managed

NPCIL explained that:

  • Reliance Infrastructure received the EPC contract for the BoP package through a public tender.
  • NPCIL initially shared indicative drawings and technical specifications with bidders.
  • The contractor prepared detailed engineering designs in consultation with equipment manufacturers.
  • NPCIL reviewed and approved those designs to ensure compliance with technical requirements.

The corporation said these engineering documents are separate from information related to nuclear reactor safety and security.

Why the Clarification Matters

The statement seeks to distinguish between:

  • Conventional engineering project documentation.
  • Nuclear reactor control systems.
  • Nuclear safety infrastructure.
  • Nuclear security information.

Cybersecurity experts generally note that breaches involving contractors can still present risks, even when operational reactor systems remain isolated. Authorities continue to investigate the scope and authenticity of the leaked material.

Challenges Ahead

Authorities will continue to examine:

  • The authenticity of the leaked documents.
  • The full extent of the contractor’s data exposure.
  • Whether additional systems were affected.
  • Supply-chain cybersecurity practices.
  • Measures to strengthen protection of critical infrastructure.

Investigations by relevant agencies are ongoing.

Outlook

NPCIL’s statement aims to reassure the public that the reported cyber incident did not compromise the nuclear safety or security systems of the Kudankulam Nuclear Power Project. While acknowledging concerns surrounding the alleged leak of contractor-related documents, the corporation maintains that the exposed information pertains only to conventional Balance of Plant infrastructure and has no bearing on reactor operations.

The incident nevertheless highlights the growing cybersecurity challenges facing large infrastructure projects, where third-party contractors and supply-chain partners can become potential points of vulnerability. As India’s nuclear power programme expands, strengthening cybersecurity across the broader project ecosystem—not just operational reactor systems—will remain an important priority.

What It Means for India’s Nuclear Infrastructure

The episode underscores that cybersecurity for critical infrastructure extends beyond reactor control systems to include contractors, engineering firms, cloud providers, and supporting project documentation. Even when core nuclear systems remain protected, breaches involving third parties can expose engineering, procurement, or logistical information that warrants careful review.

The incident is likely to encourage continued investment in supply-chain cybersecurity, contractor oversight, and cyber resilience as India expands its nuclear energy capacity.

Get the day’s top stories in your inbox

One concise email. No spam, unsubscribe anytime.