National Exam Data Sold Online: What Parents and Educators Must Know

Personal details of over 1.5 million CUET 2026 exam takers are being sold online. Learn how security bypasses happened and what families can do to stay safe.

Thursday, July 9, 2026

Key Takeaways

  • Databases containing the personal details of over 1.5 million CUET 2026 candidates are currently for sale online. University recruiters can purchase this data for prices ranging from Rs 1,000 to Rs 10,000.
  • At the same time, security vulnerabilities have exposed student admit cards and results. These issues include a bypassed NTA re-examination superadmin page and a misconfigured JEE Advanced cloud database.
  • While these leaks continue, enforcement of India’s Digital Personal Data Protection Act of 2023 remains stalled. The government has not yet appointed members to the Data Protection Board, leaving the law without an enforcement body.

The personal information of millions of Indian students is being sold on commercial database websites following major national exams. High-schoolers who recently completed the Common University Entrance Test (CUET) and other board exams are finding their names, mobile numbers, and parents' details marketed to colleges and admission recruiters. This massive exposure shows major gaps in the country's defense of student privacy, occurring right as new digital safety laws are rolling out.

What Happened

Several active websites, such as studentdataprovider.com and studentsdatabases.com, are advertising student directories for prices ranging from Rs 1,000 to Rs 10,000. Some records are online for as little as Rs 1,500. One listing advertised a database of more than 1.5 million CUET 2026 candidates, providing free samples of 500 candidates' complete profiles as proof of the data.

These leaked files contain highly sensitive details. Buyers can access student names, mobile numbers, email addresses, parental contact names, dates of birth, and gender. While the National Testing Agency (NTA) maintains that it only shares credentials through secure, consent-based APIs, educators are concerned. As we have previously reported, school data breaches represent an escalating threat to student safety, exposing young people to identity theft and unwanted solicitations.

The Bigger Picture

The leaks appear to stem from administrative and technical oversights rather than sophisticated cyberattacks. In mid-2026, 16-year-old cybersecurity researcher Rylen Anil revealed that he easily bypassed the NTA’s re-examination portal superadmin page because the portal used weak login credentials. This basic error could have exposed sensitive registration info to malicious actors.

Additionally, a cloud misconfiguration in the JEE Advanced 2026 database, managed by IIT Roorkee, left nearly 180,000 result records and 187,000 candidate admit cards exposed to the public. These security lapses violate India’s Digital Personal Data Protection (DPDP) Act of 2023. While the DPDP Act outlines penalties of up to Rs 250 crore for such lapses, holding organizations accountable is difficult. According to Communications Today, the central Data Protection Board of India is currently stalled because the government has not set up the selection panels to appoint its members.

What This Means for Families

For parents and educators, the immediate concern is the rise of admission scams. Unscrupulous private colleges and enrollment consultants purchase these lists to target students with high-pressure sales calls. When a broker has a student's exact test scores, parents' names, and phone numbers, their scam calls sound highly legitimate.

Early exposure to these data leaks also harms a student's long-term digital safety. High-schoolers are vulnerable to targeted phishing attacks when their personal email addresses and dates of birth are public.

What You Can Do

  • Warn your children that they may receive unsolicited calls or texts offering guaranteed admissions or asking for processing fees. Instruct them never to share official credentials or OTPs over the phone.
  • Always check the official website of any university or college that contacts you. Do not trust unsolicited admission offers received via WhatsApp or email.
  • Although regulatory boards are still being established, families should refuse to provide unnecessary personal information on test prep portals, which often act as secondary sources of leaked lists.
Share: