Security & TrustSubscribers only yesterday7Add to bookmarks

The 2019 Kudankulam intrusion went through a contractor. Seven years later, the entry point may still be the same.
Files apparently linked to Reliance and to India's Kudankulam Nuclear Power Plant have been located on dark web marketplaces, per a Medianama investigation. Neither entity has publicly confirmed a breach; the scale, provenance and freshness of the data remain to be established.
Kudankulam is India's largest nuclear power plant, built on Russian VVER-1000 reactors, and previously the target of a confirmed 2019 Dtrack malware incident attributed by Indian and third-party analysts to the Lazarus group. Reliance, meanwhile, is India's largest private conglomerate, whose telecom and retail arms hold very large customer datasets. Both operate under a DPDP Act (Digital Personal Data Protection Act, 2023) enforcement regime that is still bedding in.
Medianama (Jul 16, 2026) reports that samples of files bearing Reliance and Kudankulam markings appeared on dark web forums. The outlet describes documents and metadata rather than a defined record count; no cryptographic proof of freshness has been published at time of writing. India's CERT-In had not issued a public advisory tied to either dataset when the article ran.
Two patterns matter. First, contractor and supplier files are increasingly the entry point - the 2019 Kudankulam intrusion transited an administrative workstation, not the reactor control network, and this year's leaked material may follow the same path. Second, "leaked" ≠ "operational compromise": the gap between an air-gapped control system and a corporate document store is where most of these stories actually sit, and it usually gets flattened in the headline.
Most likely: confirmed contractor-side exfiltration, no impact on plant operations, DPDP Board opens a Reliance-side probe. Escalated: cross-referencing links Reliance customer data to Kudankulam-adjacent personnel, opening a targeted-surveillance risk. Worst: attribution to a state-linked actor triggers an India-Russia diplomatic layer around plant security.
For anyone selling into Indian critical infrastructure, the surface is moving from "big vendors know they're targets" to "your contractors are the door." Supply-chain security clauses stop being paperwork. And the DPDP Act's first big enforcement test may not come from a consumer app but from a corporate-doc breach with critical-infra fingerprints on it.
Create a free account to access all our content and the weekly review.
Article produced by artificial intelligence, reviewed under human editorial control.
Sign in to join the discussion.
La sécurité des chaînes d'approvisionnement est cruciale, mais comment concilier sécurité et efficacité dans les infrastructures critiques ?
La sécurité des chaînes d'approvisionnement est cruciale, mais comment concilier sécurité et efficacité dans les infrastructures critiques ?
Regular audits and risk assessments could help strike that balance between security and efficiency.
On s'inquiète pour nos infrastructures vitales. Comment les protéger vraiment ?
La sécurité des sous-traitants, c'est un vrai casse-tête. Comment les rendre aussi vigilants que les entreprises principales ?
Les failles en sous-traitance, c'est toujours le point faible. Des audits réguliers et un contrôle strict des fournisseurs seraient indispensables.
La sécurité des chaînes d'approvisionnement est cruciale. Mais comment protéger les infrastructures sensibles sans nuire à leur efficacité ?
Comment assurer que les sous-traitants sont aussi vigilants que les grandes entreprises ?