IITs Deny Data Breach in JEE Advanced Portal as CBSE Reports Cyberattacks on Post-Result Services
The Indian Institutes of Technology (IITs) have dismissed claims of a data breach in the Joint Seat Allocation Authority (JoSAA) portal for JEE Advanced, calling them "misleading and factually incorrect." IIT Roorkee, the coordinating institute for this year’s exam, acknowledged a minor cloud storage misconfiguration on June 2 but confirmed that the issue was swiftly resolved. The affected storage was read-only, preventing any data modification or deletion, and logs showed no bulk downloads only 0.05% of the data was accessed. No sensitive information was compromised, and the incident had no impact on exam results, ranks, or candidate categories.
The misconfiguration occurred during a technical exercise to assist candidates facing admit card access issues. IIT Roorkee condemned attempts to misrepresent the event, reaffirming the security of the JEE Advanced portal.
Meanwhile, the Central Board of Secondary Education (CBSE) filed a complaint with Delhi Police over "coordinated cyberattacks" on its Post-Result Services Portal, which handles re-evaluation and verification requests. The portal, launched on June 2, faced 1.5 million access requests within two minutes, alongside over 100,000 unauthorized attempts indicative of a DDoS-style attack. CBSE stated that all attacks were mitigated through 24/7 monitoring, with no data breach or system compromise.
The security measures followed audits by cybersecurity teams from IIT Kanpur and IIT Madras, addressing vulnerabilities in the platform. As of June 4, the portal had processed 70,433 applications, including 7,314 for mark verification and 63,119 for re-evaluation.
Indian Institute of Technology Roorkee cybersecurity rating report: https://www.rankiteo.com/company/indian-institute-of-technology-roorkeeiitr
"id": "IND1780705492",
"linkid": "indian-institute-of-technology-roorkeeiitr",
"type": "Breach",
"date": "6/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'JEE Advanced candidates',
'industry': 'Education',
'location': 'India',
'name': 'Indian Institutes of Technology (IITs)',
'type': 'Educational Institution'},
{'customers_affected': 'Students applying for '
're-evaluation/verification',
'industry': 'Education',
'location': 'India',
'name': 'Central Board of Secondary Education (CBSE)',
'type': 'Educational Board'}],
'attack_vector': ['Cloud Storage Misconfiguration',
'Unauthorized Access Requests'],
'data_breach': {'data_exfiltration': 'No',
'personally_identifiable_information': 'No',
'sensitivity_of_data': 'Low (no PII or sensitive information)',
'type_of_data_compromised': 'Non-sensitive data (0.05% '
'accessed)'},
'date_detected': '2024-06-02',
'date_resolved': '2024-06-02',
'description': 'The Indian Institutes of Technology (IITs) dismissed claims '
'of a data breach in the Joint Seat Allocation Authority '
'(JoSAA) portal for JEE Advanced, stating a minor cloud '
'storage misconfiguration was swiftly resolved. Meanwhile, '
'CBSE reported coordinated cyberattacks on its Post-Result '
'Services Portal, mitigated without data compromise.',
'impact': {'brand_reputation_impact': 'Misrepresentation attempts condemned',
'data_compromised': '0.05% of data accessed (non-sensitive)',
'identity_theft_risk': 'None (no sensitive data compromised)',
'operational_impact': 'Minimal; no impact on exam results or '
'candidate categories',
'systems_affected': ['JoSAA Portal (Cloud Storage)',
'CBSE Post-Result Services Portal']},
'investigation_status': 'Resolved',
'lessons_learned': 'Importance of secure cloud storage configurations and '
'proactive monitoring to prevent misrepresentation of '
'incidents.',
'post_incident_analysis': {'corrective_actions': ['Resolved misconfiguration',
'Mitigated DDoS-style '
'attacks',
'Conducted security audits'],
'root_causes': ['Cloud storage misconfiguration',
'High-volume unauthorized access '
'requests']},
'recommendations': ['Conduct regular security audits',
'Implement stricter access controls',
'Enhance monitoring for high-volume access requests'],
'references': [{'source': 'IIT Roorkee Statement'},
{'source': 'CBSE Complaint to Delhi Police'}],
'response': {'communication_strategy': 'Public denial of breach claims; '
'confirmation of security measures',
'containment_measures': ['24/7 monitoring',
'Mitigation of unauthorized access '
'attempts'],
'enhanced_monitoring': 'Yes',
'law_enforcement_notified': 'Yes (CBSE filed complaint with '
'Delhi Police)',
'remediation_measures': ['Resolved cloud misconfiguration',
'Addressed platform vulnerabilities'],
'third_party_assistance': 'Cybersecurity teams from IIT Kanpur '
'and IIT Madras'},
'stakeholder_advisories': 'IITs and CBSE reaffirmed portal security and '
'condemned misrepresentation attempts.',
'title': 'IITs Deny Data Breach in JEE Advanced Portal; CBSE Reports '
'Cyberattacks on Post-Result Services',
'type': ['Misconfiguration', 'DDoS Attack'],
'vulnerability_exploited': ['Cloud Storage Misconfiguration',
'High Volume Access Requests']}