Claims of data breach misleading: IIT Roorkee on JEE Advanced 2026 security issue
A security issue flagged by a 16-year-old ethical hacker triggered concerns about possible exposure of JEE Advanced candidate data. IIT Roorkee has now said there was no data breach, no mass download and no impact on examination outcomes.
by India Today Education Desk · India TodayIn Short
- Issue surfaced after admit card access fixes on June 2
- Researcher Rylan Anil responsibly reported a temporary cloud storage misconfiguration
- Institute said the affected storage allowed read-only access to limited data
Days after a 16-year-old cybersecurity researcher from Dubai flagged a vulnerability linked to JEE Advanced systems, IIT Roorkee has issued a detailed clarification rejecting claims of a large-scale data breach affecting lakhs of candidates.
The issue first came to light after ethical hacker Rylen Anil reported that a cloud storage component linked to the JEE Advanced ecosystem had been misconfigured, potentially allowing access to certain candidate data.
The disclosure sparked concerns on social media, with some users alleging a major privacy breach involving aspirants.
IIT ROORKEE CALLS CLAIMS MISLEADING
Responding to the controversy, IIT Roorkee said, “Claims of a data breach and privacy violation affecting lakhs of JEE (Advanced) aspirants are misleading and factually incorrect.”
The institute added that information circulating online did not accurately represent what had happened and alleged that there were attempts to spread misinformation about the incident.
According to IIT Roorkee, the issue emerged on June 2 when technical interventions were carried out on an expedited basis to help candidates facing difficulties in accessing admit card data and to ensure smooth functioning of the registration process.
WHAT WAS THE ACTUAL ISSUE?
The institute said those interventions resulted in a "minimal, temporary misconfiguration in a cloud storage component."
It confirmed that Rylan Anil identified the problem and responsibly reported it.
“An ethical hacker, Mr. Rylen Anil, identified this misconfiguration and reported that he could access the concerned database. The issue was immediately rectified and access to the data was restricted,” the statement said.
IIT Roorkee stressed that the storage was configured as read-only, meaning information could not be altered or deleted.
NO MASS DOWNLOAD, NO EXAM IMPACT
Addressing concerns over the scale of exposure, IIT Roorkee said an examination of cloud access logs showed that no bulk download had taken place.
“No sensitive information was compromised or mass-extracted,” the institute said, adding that read-only access was limited to less than 0.05 per cent of the data.
The institute also emphasised that the incident had “zero impact on examination outcomes, including marks, ranks, and category of the candidates.”
FOCUS SHIFTS TO EXAM SECURITY
The clarification comes amid growing scrutiny of examination technology and digital infrastructure following a series of controversies involving national-level entrance examinations.
Reiterating its position, IIT Roorkee said it remains committed to the integrity and security of the JEE Advanced and JoSAA admission processes. The institute added that attempts to misrepresent the incident and undermine public confidence in the examination system were “deeply concerning”.
- Ends