IIT Roorkee rejects data breach claims; Education Ministry, other IITs endorse
A security issue flagged by a 16-year-old ethical hacker triggered concerns about possible exposure of JEE Advanced candidate data. IIT Roorkee has now said there was no data breach, no mass download and no impact on examination outcomes. The Education Ministry, along with other IITs like IIT Bombay, IIT Kanpur, IIT Madras, and IIT Kharagpur have also backed IIT Roorkee's stand.
by India Today Education Desk · India TodayIn Short
- Issue surfaced after admit card access fixes on June 2
- Researcher Rylan Anil responsibly reported a temporary cloud storage misconfiguration
- Institute said the affected storage allowed read-only access to limited data
Days after a 16-year-old cybersecurity researcher from Dubai flagged a vulnerability linked to JEE Advanced systems, IIT Roorkee has issued a detailed clarification rejecting claims of a large-scale data breach affecting lakhs of candidates.
This has also drawn responses from other institutions, with IIT Roorkee, IIT Madras, IIT Bombay and the Ministry of Education all asserting that reports of a large-scale privacy violation are inaccurate.
The issue first came to light after ethical hacker Rylen Anil reported that a cloud storage component linked to the JEE Advanced ecosystem had been misconfigured, potentially allowing access to certain candidate data.
The disclosure sparked concerns on social media, with some users alleging a major privacy breach involving aspirants.
IIT ROORKEE LEADS THE RESPONSE
In its detailed statement, IIT Roorkee said, "Claims of a data breach and privacy violation affecting lakhs of JEE (Advanced) aspirants are misleading and factually incorrect."
The institute explained that on June 2, certain technical interventions were carried out to help candidates facing difficulties in accessing admit card data and to ensure the smooth functioning of the registration process.
According to IIT Roorkee, these interventions led to a "minimal, temporary misconfiguration in a cloud storage component". The institute acknowledged that ethical hacker Rylan Anil identified the issue and reported it, following which access was immediately restricted.
WHAT THE INSTITUTES SAY HAPPENED
IIT Roorkee said the affected storage was read-only, meaning no information could be modified or deleted.
It further stated that cloud access logs showed no evidence of bulk downloading and that the access was limited to less than 0.05 per cent of the stored data.
The institute added that "no sensitive information was compromised or mass-extracted" and stressed that the incident had "zero impact on examination outcomes, including marks, ranks, and category of the candidates."
EDUCATION MINISTRY JOINS IN
The Ministry of Education subsequently issued its own statement, saying there had been "several misleading and factually incorrect reports regarding data breach and privacy violations" relating to JEE (Advanced) candidates.
Referring to IIT Roorkee's clarification, the ministry reiterated that no sensitive information had been compromised and that examination outcomes, candidate data and records remained secure.
OTHER IITS ALSO JOIN
The clarification has also received support from other IITs involved in the JEE ecosystem.
IIT Madras shared the same clarification issued by IIT Roorkee, reiterating that reports of a large-scale breach were misleading and that the issue involved a temporary technical misconfiguration rather than unauthorised extraction of candidate data.
IIT Bombay also reposted the statements issued by IIT Roorkee and the Ministry of Education, signalling institutional backing for the explanation provided by examination authorities.
IIT Kharagpur and IIT Kanpur have also backed IIT Roorkee's stand on the privacy issue.
FOCUS SHIFTS TO CYBERSECURITY
While authorities insist that no sensitive information was leaked and no examination process was affected, the episode has once again highlighted the growing role of ethical hackers in identifying vulnerabilities in public-facing examination systems.
For now, IITs and the Education Ministry have taken a common position: the issue was real, it was reported responsibly, it was fixed quickly, and it did not amount to the large-scale data breach described in several social media posts.
- Ends