Bengaluru: A major data breach in the Bangalore Water Supply and Sewerage Board's (BWSSB) application portal for water connection has exposed over 2.90 lakh customer records.

The access to these records, including PAN, Aadhaar numbers, payment data and mobile numbers, was put on sale on an underground data leaks forum on the internet for $500 (approximately Rs 42,517).

The findings were based on a probe by CloudSEK, a Bengaluru-based cybersecurity firm. A probe report compiled by security researcher with the firm, Sourajeet Majumder, was shared exclusively with DH.

The company frequently monitors the surface of the internet, the deep and the dark web for potential threats.

The team has also emailed their findings to the BWSSB chairman and the Officer on Special Duty to Chief Minister Siddaramaiah.

On April 10, 2025, XVigil, CloudSEK's contextual AI digital risk platform, discovered that the data dump and direct root access to the BWSSB's database were being sold on BreachForum – an underground data leaks web forum — by a threat actor (term referring to hackers or cybercriminals) with the username pirates_gold.

"The initial post by the threat actor specified a payable amount of $500 for access to the compromised BWSSB database. However, upon direct engagement, the actor demonstrated a high level of urgency and appeared willing to negotiate significantly lower prices, indicating a potential desperation to sell," said the report.

"The post claimed that the database access would expose records of 2,91,212 users. It was explicitly stated that the compromised data did not include the user's passwords. Additionally, the post featured a few lines of sample data."

Apart from the data dump, a direct root access would allow the buyer to modify or delete the BWSSB's critical operational data, such as payment records or grievance logs in turn disrupting essential public services, and plant malware and spyware.

"Based on the available intelligence and corroborating evidence, we can conclude with high confidence that the threat actor gained unauthorised access to the BWSSB database comprising over 2,90,000+ user records by leveraging valid database credentials exposed within a publicly accessible .env file," the researchers found.

Meanwhile, sources in the BWSSB assured to DH that the data was safe and that required security measures were in place. "The entire billing data is stored in the State Data Centre maintained by the Karnataka government," the sources said. "The 24x7 monitoring is at a high-security level and a breach of billing data was next to impossible."

The impact

The researchers found that the database contained multiple tables of content: Payment Data, Application Data, Grievance Data and System Logs.

The application data table alone had over 2.90 lakh records with details such as full name, phone number, complete address, email ID, Aadhaar and PAN number and other critical details of the applicants, they found.

These data, in the hands of cybercriminals, can be used to launch sophisticated targeted phishing and cyber attacks. Access to detailed records creates a sense of credibility when the scammer calls the victim, which in turn increases the likelihood of the scam.

Recommendations by the firm

*Conduct a Comprehensive Security Audit

*Revoke Exposed and Potentially Compromised Credentials

*Remove Public Access to Administrative Interfaces

Will file FIR: BWSSB chief

BWSSB chairman Ram Prasath Manohar V said adequate action will be taken. “We will file a case with the cybercrime police,” Manohar told DH. “If a breach has occurred, we will identify the source and try to protect the data by involving our technical team to come up with a solution to prevent such a breach in the future.”