JEE-Advanced data breach claims misleading, factually incorrect: IIT-Roorkee

IIT-Roorkee and the Education Ministry have dismissed reports of a JEE (Advanced) data breach as misleading. Officials clarified that a temporary cloud misconfiguration exposed less than 0.05% of data in read-only mode, with zero mass extraction or impact on results

New Delhi: Claims of a data breach and privacy violation affecting lakhs of JEE (Advanced) aspirants are “misleading and factually incorrect”, the IIT-Roorkee said on Friday, asserting that no sensitive information was compromised or mass-extracted following a temporary cloud-storage misconfiguration.

The Indian Institute of Technology (IIT), Roorkee, which conducted the exam this year, said the information circulating on social media “does not accurately reflect what happened” and alleged an attempt to spread misinformation.

---

The JEE (Advanced) is the gateway for admission to undergraduate programmes in the IITs and several other premier engineering institutions across the country.

The Ministry of Education also dismissed reports of a data breach and privacy violations involving JEE (Advanced) candidates as “misleading and factually incorrect”.

“There have been several misleading and factually incorrect reports regarding data breach and privacy violations with respect to students who took JEE (Advanced) examination,” the ministry said in a post on X.

“As per the clarification issued by @iitroorkee the Ministry reiterates that no sensitive information was compromised, and the examination outcomes, marks, and candidate information remain completely secure, intact, and safe,” it added.

“Claims of a data breach and privacy violation affecting lakhs of JEE (Advanced) aspirants are misleading and factually incorrect. The information circulating on social media is misleading and does not accurately reflect what happened. There is an attempt at spreading misinformation, which is far from the truth,” the IIT-Roorkee said in a series of posts on X.

According to the institute, certain technical interventions were undertaken on an expedited basis on June 2 to assist candidates facing difficulties in accessing admit-card data and to ensure the smooth functioning of the registration process.

It further said these interventions resulted in a “minimal, temporary misconfiguration” in a cloud-storage component, which was identified and reported by ethical hacker Rylen Anil.

“An ethical hacker, Mr Rylen Anil, identified this misconfiguration and reported that he could access the concerned database. The issue was immediately rectified, and access to the data was restricted,” the institute said.

The affected storage was “read only”, meaning no data could be edited or deleted, the IIT-Roorkee said, adding that an analysis of cloud-access logs confirmed that no bulk download had occurred.

“The affected storage was read-only, meaning no data could be edited or deleted. An analysis of cloud access logs confirmed that no bulk download occurred (the read-only access was limited to less than 0.05 per cent of the data),” it said.

The institute further asserted that “no sensitive information was compromised or mass-extracted” and that the incident had “zero impact on examination outcomes, including marks, ranks, and category of the candidates”.

Reaffirming its commitment to the examination process, the IIT-Roorkee said it remains fully committed to maintaining the integrity, security and transparency of the JEE (Advanced) and Joint Seat Allocation Authority (JoSAA) counselling processes.

“Deliberate attempts to misrepresent this technical event and undermine public trust in the examination system are deeply concerning and should be discouraged,” it added.

“The JEE (Advanced) team looks forward to supporting every aspirant through a smooth and secure admission process into IITs and IISc,” it said.

Earlier, the IIT-Roorkee had confirmed that the JEE (Advanced) 2026 results portal faced a cloud-storage-configuration issue after a teenager, who identifies himself as a cybersecurity researcher, claimed that personal and examination details of lakhs of students were accessible without authorisation.

The response from the IIT-Roorkee came after the cybersecurity researcher, 16-year-old Rylen Anil, took to X, claiming that the public cloud storage endpoint of the results portal was accessible without authentication, exposing bulk candidate data.

On Tuesday, the institute said the data stored was in the read-only mode, with no possibility of record alteration, and added that the issue was being addressed on priority.