Post data leak, KEA conducts safety audit of portal

Days after the Bengaluru police registered an FIR pertaining to the ‘data leak’ and subsequent media reports, the Karnataka Examinations Authority (KEA) conducted security and safety audit of their website and other online systems adopted by the authority to carry out admissions for professional courses.

According to sources in the department, the National Informatics Centre (NIC) on Monday conducted the audit. “The audit did not reveal any details pertaining to the hacking of the website,” said one of the officials of the KEA. The official further said that the data such as students’ names, parents’ details, locality and contact numbers were indeed accessed by a third party.

Confirming the security audit, Suralkar Vikas Kishore, Executive Director, KEA said, “Security audit has been conducted following recent media reports based on the FIR filed with the jurisdictional police (Malleswaram). Even though we conduct safety audit every year, Monday’s exercise was taken up following recent reports in the media pertaining to the data leak. The details will also be uploaded on the public domain.” He clarified that as per the security audit, the website of KEA was not hacked.

Currently, KEA has data pertaining to more than 2.1 lakh students who had registered for Common Entrance Test (CET) and for National Eligibility cum Entrance Test (NEET). The nature of the data includes students’ names, parents’ names, contact details, college details, CET number, residential address, marks secured in qualifying examinations. Further, the authorities have pulled down the data of candidates who had appeared for other departmental exams conducted by the KEA. “We have informed the candidates to get details in person if at all they need anything,” clarified yet another official.

Officials at KEA revealed to DH that the root cause of this entire data leak episode was “it was not password protected” “Keeping in mind the students’ requirement, KEA had uploaded the details of the students by providing individual IDs and passwords. But the data was not password protected and the third party could access it with the same URL.”