Bengaluru: Fresh claims by the Bangalore Water Supply and Sewerage Board (BWSSB) regarding the recent breach in their database does not match the independent findings by a cybersecurity firm in Bengaluru.

On April 29, DH exclusively reported probe findings by CloudSEK, which revealed that sensitive data — including Aadhaar and PAN details — of over 2.9 lakh BWSSB customers was on sale on a data leaks web forum for $500 (approx Rs 42,273).

A day after the findings were reported, the BWSSB approached the Central CEN police and an FIR was registered.

On Wednesday, BWSSB Chairman Ram Prasath Manohar issued his first public statement, claiming that the “cyber-attack attempt” was successfully foiled.

“The attack took place on the morning of April 11, targeting the BWSSB’s online portal for water connection applications. Following an alert from the Indian Computer Emergency Response Team (CERT-In), the BWSSB’s technical team acted swiftly to contain the breach attempt,” Manohar said.

"The customer data of the BWSSB is securely stored in the State Data Centre managed by the Government of Karnataka. The attempted breach focused on the portal linked to connection applications, which contained limited and recent applicant data. Preliminary analysis confirms that while a small portion of data was accessed, no sensitive or confidential customer information was leaked.”

He added that as a precaution, all relevant data from the affected portal was transferred to more secure centralised servers and that they were evaluating the implementation of blockchain technology.

Interestingly, while the BWSSB claims the attack occurred on April 11, CloudSEK researchers found that the data was already on sale by April 10 — suggesting the breach happened much earlier.

The researchers also discovered that the database on sale contained multiple tables: Payment Data, Application Data, Grievance Data, and System Logs. The Application Data table alone held over 2.9 lakh records with details such as full name, phone number, complete address, email ID, Aadhaar and PAN numbers, and other critical applicant information.

A direct root access was also reportedly offered by pirates_gold (the seller), allowing a buyer to modify or delete the BWSSB’s critical operational data — such as payment records or grievance logs — potentially disrupting essential public services and planting malware or spyware.