The Centre and IIT Roorkee, which organised this year’s JEE (Advanced), on Friday acknowledged only a “minimal, temporary misconfiguration” in a cloud-storage component and dismissed as “misleading” the claims of a data breach and privacy violation of aspirants.
IIT Roorkee took note of ethical hacker Rylen Anil’s social media claim that he could access the database, but added that no sensitive information was compromised or mass-extracted.
An expert, however, wondered why the IITs depended on cloud storage services of global companies instead of having their own server to maintain students’ data.
IIT Roorkee said in a series of posts on X: “Claims of a data breach and privacy violation affecting lakhs of JEE (Advanced) aspirants are misleading and factually incorrect. The information circulating on social media is misleading and does not accurately reflect what happened. There is an attempt at spreading misinformation, which is far from the truth.”
According to the institute, certain technical interventions were undertaken on an expedited basis on June 2 to assist candidates facing difficulties in accessing admit-card data and to ensure the smooth functioning of the registration process.
The IIT said these interventions resulted in a “minimal, temporary misconfiguration” in a cloud-storage component. “An ethical hacker, Mr Rylen Anil, identified this misconfiguration and reported that he could access the concerned database. The issue was immediately rectified, and access to the data was restricted,” the institute said.
Rylen had, however, said he could access “admit-card PDFs, including candidate names, DOBs and mobile numbers”.
The affected storage was “read-only”, meaning no data could be edited or deleted, IIT Roorkee said, adding that an analysis of cloud-access logs had confirmed that no bulk download had occurred. “The read-only access was limited to less than 0.05 per cent of the data,” it added.
The institute asserted that “no sensitive information was compromised or mass-extracted” and that the incident had “zero impact on examination outcomes, including marks, ranks and category of the candidates”.
The education ministry amplified IIT Roorkee’s post on X. “The Ministry reiterates that no sensitive information was compromised, and the examination outcomes, marks, and candidate information remain completely secure, intact and safe,” the ministry posted.
Rajeev Kumar, a retired professor of computer science at IIT Kharagpur, said data related to JEE (Advanced) candidates were still vulnerable.
“Apparently, the IITs have allowed read-only access to candidates’ data from cloud storage. It means anybody can read the personal details, such as family background or address, of any JEE (Advanced) candidate, although none can alter any information. This is a gross violation of privacy,” Kumar said.
“Data is normally stored in secure cloud environments with appropriate encryption and access controls. Authorised users are granted limited permissions to read, modify, or update specific portions of the data as required. Any deviation from these principles can expose candidates to significant privacy risks and unauthorised manipulation of data,” he added.
Kumar said this episode begged the question why the IITs depended on the cloud storage services of global companies.
