BWSSB Data Breach: Hackers Breach Portal, Aadhaar, PAN, and Payment Data of Users Sold on Dark Web

A major data breach has compromised the personal data of over 2.91 lakh users of the Bangalore Water Supply and Sewerage Board (BWSSB), according to a recent investigation by Bengaluru-based cybersecurity firm CloudSEK.

The breach was traced to BWSSB's water connection application portal, where hackers gained unauthorized access and exposed sensitive user information such as Aadhaar numbers, PAN details, phone numbers, full addresses, email IDs, and payment records. The details were revealed in a probe report cited by Deccan Herald on Tuesday.

The stolen database was allegedly listed for sale on the dark web forum BreachForum by a user named pirates_gold. Initially priced at $500 (around ₹42,600), the threat actor reportedly showed urgency and willingness to sell the data at a lower price, suggesting a strong intent to quickly offload the information.

According to CloudSEK, the leaked database includes data from over 2.91 lakh users. Although the leak reportedly did not include user passwords, sample data was shared in the post, which indicated the scope of the breach. The exposed information includes:

• Application data (names, addresses, Aadhaar and PAN numbers)
• Payment records
• Grievance data
• System logs

Experts warn that such information can easily be misused for identity theft and financial fraud.

In response, BWSSB officials maintained that critical data remains secure. "Billing data is stored in the government's high-security Data Centre with 24x7 monitoring. A breach of that data is highly unlikely," a source told DH.

However, BWSSB Chairman Ram Prasath Manohar acknowledged the seriousness of the breach and said a formal complaint will be filed with the cybercrime police. "If the breach is confirmed, we will identify the cause and work with technical experts to strengthen our data security," he said.

CloudSEK has advised the BWSSB to take immediate action, including a comprehensive security audit, revocation of exposed credentials, and restricting public access to backend systems to avoid further risks.