Cybersecurity breach at Bengaluru’s water & sewage board exposes citizen data: Report

A critical breach at the Bengaluru Water Supply and Sewage Board (BWSSB) has left personal data of lakhs of Bengaluru residents at risk, a new finding by CloudSEK has shown. According to the Software-as-a-Service (SaaS)-based cybersecurity firm, direct root access to BWSSB’s database has exposed sensitive personal information of over 290,000 people, including name, address, phone number, and Aadhaar details. 

On April 10, CloudSEK’s proprietary digital risk monitoring platform XVigil flagged a post by a threat actor identified as “pirates_gold”, offering unrestricted access to BWSSB’s database. The perpetrator has been active since September 2024 and has targeted organisations across e-commerce, healthcare, and finance sectors globally. 

The actor allegedly obtained access through exposed credentials and a publicly accessible admin login portal. Notably, exposed credentials are one of the major causes of cyberattacks. According to IBM's 2023 Cost of a Data Breach Report, 19% of breaches were caused by stolen or compromised credentials. 

CloudSEK’s team traced the BWSSB breach to a publicly exposed .env file that contained plaintext MySQL credentials. Alongside this, an internet-facing Adminer interface, commonly used for database management, was also accessible. These misconfigurations granted the attacker full administrative access without requiring any sophisticated hacking tools. Such an attack allows hackers to alter, delete, or steal critical records such as payment data, service applications, and citizen grievances.

CloudSEK’s further analysis shows that the incident can lead to targetted phishing attacks, disruption of essential services, and erosion of public trust. 

“This isn’t just about numbers. Behind each exposed record is a person – someone who trusts public agencies to safeguard their information. This breach is a wake-up call for public sector institutions to prioritise cybersecurity before citizens pay the price,” said Sourajeet Majumder, CloudSEK researcher.

In its report, CloudSEK has urged government bodies to adopt proactive threat monitoring, secure coding practices, and strict data handling policies to prevent such breaches.

BWSSB has not yet responded to TechCircle’s queries. However, in a statement to Deccan Herald, Chairman Ram Prasath Manohar V said the organisation will investigate the incident and file a complaint with the cybercrime police if an attack is confirmed. He also noted that BWSSB’s team will work to identify the origin of the breach.

In December 2022, BWSSB allegedly experienced another significant data breach. Cybersecurity firm Technisanct reported that over 202,000 citizen records were leaked by the hacker group KelvinSecurity. The compromised data included personal details such as building information, contact numbers, payment records, and water meter specifics. At the time, however, BWSSB denied the attack.