In early 2025, India’s prestigious IIT Roorkee made headlines after personal details of more than 30,000 students and alumni were found exposed online. The breach, which reportedly lingered for years, highlights growing risks in the education sector and the urgent need for stronger data protection practices in India.

What data was affected?

Data pertaining to students at IIT Roorkee's campus was exposed by hackers in 2025. Sensitive personal information outlined below was accessible:

• Names
• Contact details (emails, phone numbers)
• Caste details
• Financial information
• Academic records

How did the hackers get access to IIT Roorkee's systems?

If you read our blog on the WestJet data breach in Canada, you will have seen that particular breach was conducted by a group of sophisticated attackers. In the case of IIT Roorkee's breach, this is not true. It wasn’t a high-tech hack with fancy tools. The issue came down to weak security. Personal records from IIT Roorkee’s academic affairs department were reportedly left online for years without proper protection, which meant anyone who stumbled across them could see the data. Hackers didn’t need to crack passwords or sneak past firewalls; the info was basically left sitting out in the open.

According to several cybersecurity experts, the data exposed had been left vulnerable for several years.

IIT reportedly launched an internal investigation and patched their systems to prevent this type of leak from happening in the future. However, they broke DPDPA's laws and ultimately the trust of their students. A tarnished reputation is something that can not be repaired.

What this means for you

Unfortunately, IIT Roorkee didn't notify users of the breach, and unlike WestJet they offered no remedy for students affected. So what does that mean for you if you were affected?

As personal identifiable information was released it is key for you to monitor your banking accounts and credit accounts for any malicious activity. Simiarly:

1. Watch out for phishing emails or calls using exposed details.
2. Be wary of scams exploiting caste or academic information.
3. Use identity theft protection services if available.

How this breach links to DPDPA

What happened at IIT Roorkee shows exactly the kind of thing the DPDPA is trying to fix. The law says organisations should only collect what they need, keep it safe, and be upfront if something goes wrong. IIT did the opposite, years of sensitive data just sitting out in the open, no clear controls, and no notice to the people affected. Under the DPDPA, that kind of slip could mean serious fines and a lot more accountability. Let's recap DPDPA:

• The Digital Personal Data Protection Act (DPDPA, 2023) applies to all organisations in India that process personal data
• Under the Act, breaches like this could trigger:
  • Investigations by the Data Protection Board of India (DPBI).
  • Heavy penalties of up to ₹250 crore depending on severity.

IIT Roorkee’s breach underscores why compliance with DPDPA is not optional, even for public institutions.

🥭 Mango Moment:
At the crux of mangoHR we believe that your first line of defence is human prevention. Incidents like this show how quickly personal data can be exposed and misused. If you're a business, school, public entity, that means training your personnel to handle sensitive information securely. Our privacy and cybersecurity training gives teams region-specific lessons, real-world examples specificaly focused on DPDPA, and clear steps to prevent breaches.