Widespread Indian Exam Data Leaks Put Student Privacy at Risk

Learn how recent Indian exam data leaks affect student privacy and discover critical steps families can take to protect themselves against admissions scams.

Thursday, July 9, 2026

Key Takeaways

  • Commercial websites are selling the personal details of more than 1.5 million Indian students who took national entrance and school board exams. These databases are priced between Rs 1,000 and Rs 10,000.
  • Security vulnerabilities on central systems, including the National Testing Agency (NTA) portal and the Joint Entrance Examination (JEE) Advanced cloud directory, exposed over 1.7 lakh exam results and 1.8 lakh admit card PDFs to the public. Anyone could access them without authentication.
  • India passed the Digital Personal Data Protection (DPDP) Act in 2023. However, key compliance deadlines for organizations handling personal data have been deferred to May 2027. This delay leaves a gap in regulatory enforcement.
  • The leaked data contains specific student information, including exam scores, phone numbers, and parents' names. Because of this, families face a higher risk of targeted admissions scams and spear-phishing.

Personal information of millions of Indian students who recently sat for major national exams is being openly traded online. Databases from the Common University Entrance Test (CUET), JEE Advanced, and secondary school boards are currently on sale or exposed through unsecured portals. These security failures leave families vulnerable to targeted scams while major regulatory protections face delays.

What Happened

Commercial websites are actively advertising student databases to private universities, colleges, and marketing agencies. According to reporting by the Hindustan Times, listings are priced between Rs 1,000 and Rs 10,000 based on database size and demographics. One listing offers a "CUET-2026 Exam Database" containing the private data of over 15 lakh (1.5 million) student candidates.

The records on sale contain sensitive personal identifiers, including candidate names, mobile numbers, email addresses, parental details, dates of birth, and category quotas. Some websites have shared free samples containing the private records of hundreds of students to prove the databases are real. As we have previously explored when analyzing how school data breaches threaten student privacy, the commercialization of this data poses long-term risks to young people.

The Bigger Picture

This commercial market is fueled by technical vulnerabilities across Indian educational platforms. Cybersecurity researchers recently exposed flaws in the infrastructure of several national testing systems. For example, a security researcher bypassed administrative credentials on the National Testing Agency's (NTA) re-examination portal, gaining "superadmin" access due to weak credentials. As detailed by MediaNama, this bypass exposed the personal information of thousands of city coordinators, exam observers, and test centers.

The same investigation revealed that CBSE’s DigiLocker portal featured a critical design flaw. The system used encryption but hard-coded its password key inside a publicly accessible JavaScript file, making it easy to bypass. Furthermore, an open directory on the JEE Advanced platform allowed unauthenticated access to nearly 1.79 lakh exam results and 1.87 lakh student admit cards, as reported by Zee News. Separately, student answer sheets from CBSE board exams were left exposed online, according to the Times of India.

These vulnerabilities persist during a regulatory transition. India passed the Digital Personal Data Protection (DPDP) Act in 2023, which carries heavy penalties for data violations. However, the government has deferred key compliance deadlines for organizations until May 2027, according to legal analysis published by Mondaq. This delay creates an interim period where testing agencies and schools lack immediate enforcement to secure student records.

What This Means for Families

The exposure of these databases changes how bad actors target students and parents. Because the leaked records contain exact exam scores, parental names, and contact details, scammers can craft convincing spear-phishing campaigns. Parents may receive realistic phone calls from individuals pretending to be university admissions officers. These callers can quote exact student scores and demand immediate registration fees to secure a college seat.

This issue highlights the ongoing struggle to protect student data at a systemic level. While some smaller educational projects, such as a student-built chemistry tool, protect user privacy by avoiding account creation entirely, large federal testing bodies continue to use outdated security designs. Until systemic changes occur, families must manage their own digital safety.

What You Can Do

  • Verify All Admission Offers: Treat unsolicited calls, SMS messages, or emails offering university admission with caution. Verify offers by contacting the university directly using the official numbers listed on their public website.
  • Protect Government and Academic Portals: Ensure student portals, including DigiLocker and individual exam result pages, are secured with strong, unique passwords. Enable two-factor authentication where available.
  • Never Share OTPs: Talk to your children about telephone scams. Teach them never to share one-time passwords (OTPs), bank details, or additional personal information over the phone, even if the caller already knows their test scores and registration numbers.
Share: