A 16-year-old cybersecurity researcher has called out the Indian Institute of Technology Roorkee for exposing data of thousands of students through the JEE Advanced 2026 examination system, saying a cloud storage misconfiguration, not a cyberattack, led to the exposure. The researcher, who goes by the name ‘DarthKermy’ in online forums, said an issue with ISO’s exchange handler software led to the exposure. This was subsequently shared publicly on social media, which prompted the response from the exam’s organising institute, IIT Roorkee.
What data was allegedly exposed in the JEE Advanced incident
The researcher said that details of around 179,600 result records and 187,300 admit-card PDF files could be accessed through the JEE Advanced 2026 system without authentication. He said that further details that could be gleaned from the exposed information include candidates’ names, their date of birth, mobile numbers and other personal details that can identify JEE Advanced aspirants.
The researcher said the data was available through the publicly accessible cloud storage links because of a configuration error. At present, there is no sign that passwords have been stolen or the exam system hacked directly. According to cybersecurity experts, however, personal data’s being publicly available causes privacy concerns even in the absence of a typical cyberattack.
How did IIT Roorkee respond to the JEE Advanced data exposure claim
The institute admitted to the issue after the news blew up on the Internet. In a public response, the institute thanked the researcher for bringing the cloud storage configuration issue to light and said action was being taken to fix the problem. The institute said the storage had read-only permissions, meaning that while files could have been read by external parties, they could not have been edited. Cybersecurity experts say, however, that personal data’s being publicly available causes privacy concerns because the data can still be collected and abused without any alteration to the original files.
Why do experts worry about publicly available student data
Data exposures related to educational records open doors for identity theft, phishing and targeted scams. Cybercriminals value personal details such as names, phone numbers and dates of birth for the purpose of impersonation and other fraudulent activities. The sheer scale of the alleged breach has raised alarm as JEE Advanced is one of India’s toughest entrance examinations and the only way of entry into the Indian Institutes of Technology (IITs).
What unanswered questions remain after the disclosure
IIT Roorkee has said that corrective action is being taken; however, there are several questions remaining unanswered. The institute has not said for how long the data was accessible or revealed whether any unauthorised individuals accessed the information. The institution has not also said where candidates who applied for the exams would be notified about the incident or whether there is any estimate of the potential fallout for students. Such incidents have highlighted the growing concerns about data security in examinations as academic organisations online shift a growing number of exams and processes. Experts say institutions need better safeguards to protect the candidate’s data from accidental exposure.
Also Read: CBSE Extends Re-Evaluation Portal Session Limit After Login Issues, Reports Cyberattack Attempts
Radhika is a journalist with two years of experience covering education, competitive exams, and student-focused developments. She reports on exam notifications, results, admissions, scholarships, and academic policies, helping students stay updated with important information.
Known for her clear and reader-friendly writing, she simplifies complex education updates into accessible stories that guide aspirants, students, and parents. She is also interested in highlighting inspiring student journeys and grassroots education initiatives.
For queries or story tips, you can reach out to her on X (formerly Twitter): https://x.com/Hitkariradz
