IIT Roorkee data breach: A wake-up call for higher education institutions

Indian Express

2 days ago

By Paakhhi Garg and Nachiketa Mittal
In an alarming data breach, the sensitive personal data of around 30,000 students and alumni of IIT Roorkee was reportedly found to have been compromised. The leaked database reportedly contains their mobile numbers, caste, financial status, email addresses, photographs and other data. IIT-R's administrative systems seem to have turned a blind eye to cyber safety standards.
It could happen to any other higher education institution (HEI). In many cases, it may already have happened, with us remaining oblivious — exposing people to the threat of cybercrimes despite no negligence on their part. Lakhs of students, parents and employees share sensitive personal data with HEIs. However, do HEIs have cyber security standards and the requisite infrastructure, training and institutional accountability measures in place? The IIT-R episode must be a clarion call to all HEIs in the country to be steadfast in protecting data. This is no longer a choice as the Digital Personal Data Protection (DPDP) Act, 2023 has both the teeth and the legislative intent to penalise non-compliant institutions.
Critical vulnerabilities have been allowed to grow because of the notion that academic prominence somehow correlates with digital security. The IIT-R breach was caused by a fundamental breakdown in data security. Our HEIs must take note of it. That's why a three-pronged strategy is required.
First, legal safeguards. Strict compliance with legal standards must be the cornerstone of any effective cybersecurity plan. With laws like the Information Technology Act, 2000, Sensitive Personal Data or Information (SPDI) Rules, 2011 and now the DPDP Act, India has achieved significant progress. This legislation requires organisations, who are referred to as 'data fiduciaries' or 'bodies corporate' to employ 'reasonable security safeguards' to secure personal/sensitive data.
This implies many things for HEIs, including that institutions must be transparent about the what, why and how of the data. All this information has to be shared in the form of a clear privacy notice and policy for external users and internal staff respectively. The HEIs must obtain explicit consent from all users whose data they are collecting and store only the data necessary for their purpose. Under the Information Technology Act, a breach must be reported to CERT-In within six hours. However, the IIT-Roorkee event shows a notable failure in this area, with a third party allegedly having found the vulnerability. Ideally, the law will hold the institution financially accountable for this 'breach' or 'contravention' in the absence of 'reasonable security practice', as stated in SPDI Rules and the IT Act respectively, with penalties.
Second, technical safeguards.Without a solid technological basis, legal compliance is pointless. The IIT-R event has exposed an essential digital hygiene breakdown. A practical approach must be much more than a firewall and antivirus program. All vital systems, such as student portals, administration databases and financial records, ought to require multi-factor authentication. To further reduce the possibility of internal data breaches, role-based access control should guarantee that employees only have access to the limited data.
To monitor traffic and stop illicit activity, HEIs need to use advanced network security measures, such as modern firewalls and intrusion detection/prevention systems. Every device should have endpoint detection and response software installed to offer an extra line of defence against malware and zero-day attacks. All sensitive data, whether stored on servers ('at rest') or transmitted across networks ('in transit'), must be encrypted. This simple measure can render stolen data useless to attackers even if they manage to exfiltrate it.
The practice of waiting for a breach to be discovered by an external party is a grave dereliction of duty. Institutions must conduct frequent, independent penetration testing to proactively find and address vulnerabilities. An incident response plan is a playbook for what to do before, during and after a cybersecurity incident. It should outline roles and responsibilities, communication strategies and technical steps to contain and recover from the breach.
Finally, organisational safeguards. Even the most sophisticated technology can only be as effective as the people and procedures that use it. A robust organisational structure is possibly the most important component of the cybersecurity jigsaw.
Every HEI must establish a clear governance structure for cybersecurity. A dedicated data protection officer (DPO) who reports directly to senior leadership needs to be part of the team.
Institutions must create and implement transparent rules for handling data, managing passwords, granting remote access and responding to incidents. Effective communication and frequent updates are also required.
The human element is often the weakest link. All students, faculty and staff must receive mandated and continuous cybersecurity training from HEIs. Phishing simulators may be a valuable tool for raising awareness and testing.
A harsh lesson about the high cost of negligence may be learned from the IIT-R event. All Indian HEIs should take the time to reflect and acknowledge that they can no longer claim to be purely academic institutions creating knowledge — they collect the sensitive personal data of lakhs of individuals including minors, and hence are clearly responsible under the law for creating a digital infrastructure and security system for data protection. This law, the DPDP Act, will offer no immunity to HEIs when it comes to compliance. Chancellors, vice-chancellors, deans and institutional heads must act with urgency before we see a sequel.
Garg is director, trainings, World Cyber Security Forum, and Mittal is registrar and professor of Law, NLU, Tripura