A Leak of Private Information of Citizens: The Bengaluru Water Board Cyber Breach Scandal -

Post Views: 114

A Leak of Private Information of Citizens: The Bengaluru Water Board Cyber Breach Scandal

For just Rs. 41,500, a cybercriminal gave root access to the Bangalore Water Supply and Sewerage Board’s database, revealing the private data of over 2,90,000 people.

According to an inquiry, the intrusion was caused by a straightforward setup error that resulted in an exposed .env file, underscoring the mounting risks associated with inadequate cybersecurity practices at public utilities.

A Price Tag on Public Trust: How the Breach Was Discovered

Researchers studying cybersecurity discovered a disturbing post on a covert forum at the beginning of April 2025. Direct root access to the Bangalore Water Supply and Sewerage Board’s (BWSSB) database was made available by a threat actor going by the handle pirates_gold for the startlingly cheap sum of Rs. 41,500.

More than 291,212 user records, including full names, Aadhaar numbers, full addresses, emails, and phone numbers, were allegedly accessible through the advertisement. It’s concerning that pirates_gold seems anxious to sell, suggesting that they would be open to accepting lesser offers in private talks.

Researchers discovered evidence during direct interaction with the actor that the breach was caused by an unprotected subdomain (owc.bwssb.gov.in) that housed an administrative portal with an inadequately secured database administration interface called Adminer. More importantly, the keys to BWSSB’s digital kingdom were essentially turned over when the .env configuration file with plain-text MySQL database credentials was made publicly available.

Even though the credentials and exposed file were eventually removed from the internet, the harm had already been done. The backdoor was allegedly inserted by the attacker, although CloudSEK has not independently verified continued access.

Inside the Breach: Anatomy of the Failure

This inquiry presents a sobering image of a crucial public utility’s disregard for cybersecurity basics.

Using the identical login and password that were contained in the exposed .env file, a simple configuration file frequently used to hold secret credentials, pirates_gold were able to verify root access. This access, along with the publicly accessible Adminer interface, gave the threat actor complete control over the database.

The compromise of payment records, application information, grievance logs, and sensitive personally identifiable information (PII) of over 290,000 applicants was confirmed by data table analysis. This is a goldmine for cybercriminals who want to commit identity fraud, launch phishing attacks, or even interfere with public services.

According to CloudSEK’s threat intelligence, pirates_gold is also a moderately active participant in well-known cybercrime forums, having previously been connected to security lapses in the e-commerce, healthcare, banking, and even government sectors in several different nations.

Three primary profit tactics were used in the modus operandi:

Selling root-level entry into organizations’ databases.
Making money from data dumps via underground forums.
Providing access brokerage for financial gains.

The BWSSB hack adds yet another concerning chapter to the growing list of targets.

Fallout and Urgent Need for Reform

Beyond just stealing data, this hack has a negative impact on public trust in vital municipal infrastructure, especially as Indian cities rapidly transition to “smart city” status.

Bengaluru residents are now at risk of highly targeted social engineering and fraud due to the nature of the stolen data, which included complete profiles connected to government services. With precise PII, attackers can create convincing frauds that could result in monetary losses or more heinous exploitation.

CloudSEK has strongly advised BWSSB to implement the following urgent damage mitigation measures:

Thorough security audits to find backdoors or lingering risks.
All exposed credentials are revoked and rotated.
Limiting access to administrative interfaces and making sure that they are never made public without strong access protections like IP whitelisting or VPNs.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.