After claiming responsibility for the recent cyberattack on Tata Power, the Hive ransomware group has started leaking stolen employee data.

Tata Power is India’s largest power company and serves more than 12 million customers through its distributors. On October 14, the company confirmed that it had been hit by a cyberattack that impacted some of its IT systems. “The company has taken steps to retrieve and restore the systems. All critical operational systems are functioning”, Tata Power said at the time, without confirming further details on the attack and its impact.

Hive listed Tata Power on its dark web leak site this week. The ransomware group uses the site to publicize attacks and stolen data. Hive claims it encrypted the company’s data on October 3, suggesting Tata Power may have known about the breach two weeks prior to its initial filing, according to the listing. TechCrunch contacted Tata Power for a comment but had not received a response at the time of publication.

The listing of stolen data suggests that any negotiations to pay a ransom failed. This data, which was reviewed by TechCrunch, includes sensitive employee information, such as Aadhaar national identity card numbers, tax account numbers, salary information, home addresses and phone numbers. The leaked data, which was posted to Hive’s dark web leak site on October 24, also includes engineering drawings, financial and banking records, client records and some private keys.

‘Stolen data poses no threat to power grids’

“The leak has sensitive data but nothing that affects power grids”, said Rahul Sasi, co-founder and CEO of threat intelligence firm CloudSEK, who also reviewed the leaked data. Sasi noted that the group’s motivation appears to be purely financial.

The Hive ransomware gang has been active since mid-2021. The gang and its affiliates target organizations that experience high downtime costs, such as healthcare providers, energy providers and retailers. The latter can pressure a victim to pay a ransom.