The personal information of millions of Indian students is being sold on commercial database websites following major national exams. High-schoolers who recently completed the Common University Entrance Test (CUET) and other board exams are finding their names, mobile numbers, and parents' details marketed to colleges and admission recruiters. This massive exposure shows major gaps in the country's defense of student privacy, occurring right as new digital safety laws are rolling out.
What Happened
Several active websites, such as studentdataprovider.com and studentsdatabases.com, are advertising student directories for prices ranging from Rs 1,000 to Rs 10,000. Some records are online for as little as Rs 1,500. One listing advertised a database of more than 1.5 million CUET 2026 candidates, providing free samples of 500 candidates' complete profiles as proof of the data.
These leaked files contain highly sensitive details. Buyers can access student names, mobile numbers, email addresses, parental contact names, dates of birth, and gender. While the National Testing Agency (NTA) maintains that it only shares credentials through secure, consent-based APIs, educators are concerned. As we have previously reported, school data breaches represent an escalating threat to student safety, exposing young people to identity theft and unwanted solicitations.
The Bigger Picture
The leaks appear to stem from administrative and technical oversights rather than sophisticated cyberattacks. In mid-2026, 16-year-old cybersecurity researcher Rylen Anil revealed that he easily bypassed the NTA’s re-examination portal superadmin page because the portal used weak login credentials. This basic error could have exposed sensitive registration info to malicious actors.
Additionally, a cloud misconfiguration in the JEE Advanced 2026 database, managed by IIT Roorkee, left nearly 180,000 result records and 187,000 candidate admit cards exposed to the public. These security lapses violate India’s Digital Personal Data Protection (DPDP) Act of 2023. While the DPDP Act outlines penalties of up to Rs 250 crore for such lapses, holding organizations accountable is difficult. According to Communications Today, the central Data Protection Board of India is currently stalled because the government has not set up the selection panels to appoint its members.
What This Means for Families
For parents and educators, the immediate concern is the rise of admission scams. Unscrupulous private colleges and enrollment consultants purchase these lists to target students with high-pressure sales calls. When a broker has a student's exact test scores, parents' names, and phone numbers, their scam calls sound highly legitimate.
Early exposure to these data leaks also harms a student's long-term digital safety. High-schoolers are vulnerable to targeted phishing attacks when their personal email addresses and dates of birth are public.
What You Can Do
- Warn your children that they may receive unsolicited calls or texts offering guaranteed admissions or asking for processing fees. Instruct them never to share official credentials or OTPs over the phone.
- Always check the official website of any university or college that contacts you. Do not trust unsolicited admission offers received via WhatsApp or email.
- Although regulatory boards are still being established, families should refuse to provide unnecessary personal information on test prep portals, which often act as secondary sources of leaked lists.