Sensitive personal data of NEET PG 2025 aspirants, including contact details, exam scores and ranks, is being sold online, raising serious questions about data security.
Multiple candidates told NDTV that information accessible only to examinees and the exam authority has surfaced on websites and messaging platforms, where it is being marketed as "NEET PG 2025 student databases". Aspirants say the data includes names, parents' details, phone numbers, email IDs, cities, states, roll numbers, scores, and ranks.
Several students reported "receiving unsolicited calls and messages from admission agents and private counsellors claiming they could arrange MD or MS seats outside the official counselling system run by the Medical Counselling Committee (MCC)."
A basic online search using the keywords "NEET PG data" leads to multiple listings offering candidate databases as digital products, with prices ranging up to Rs 15,000. NDTV accessed one such sample document containing details of 201 candidates. The sample included phone numbers, email IDs, fathers' names, cities, states, scores, and ranks. The complete dataset, according to the listing, was priced at Rs 3,599.
NDTV contacted several candidates whose details appeared in the sample. All confirmed that they had taken the NEET PG 2025 exam. While some were aware of the alleged breach, others said they were shocked to learn that such detailed personal information was publicly available.
One aspirant, speaking on condition of anonymity, said she had been receiving persistent calls from private colleges and counsellors. "I never authorised anyone to use my personal details. We submit all our information only to the exam conducting body. If my phone number and score are being used to solicit admissions, the source of the leak is obvious," she said.
Another student questioned, "how could private operators access information submitted solely to National Board of Examinations in Medical Sciences (NBEMS) during the examination process?"
A candidate, who is still awaiting seat allotment, said the situation reflects a broader erosion of privacy. "These databases are being sold openly. It feels normalised, just like spam calls from banks. But students are vulnerable, complaining could impact their future, so most stay silent," she said.
Some students claim the data is being circulated widely on Telegram channels and independent websites. One aspirant said he contacted a seller to verify the authenticity of the information. "They quoted Rs 15,000. I shared my rank only to check if their records were genuine. They had everything, my name, my father's name, phone number, email ID, state, and exact rank. Every detail was accurate," the student said.
Aspirants have placed responsibility squarely on NBEMS, saying it is the examination body's duty to safeguard candidate data. They are demanding strict action against those responsible for the alleged leak and greater accountability from authorities involved in handling examination records.
The allegations come as NBEMS remains engaged in ongoing proceedings before the Supreme Court related to NEET PG 2025, adding to mounting concerns over governance, transparency, and data protection in one of the country's most competitive medical entrance examinations.
A senior official at the NBEMS said the board prepares the candidate data but shares it with the Medical Counselling Committee (MCC) and state counselling authorities. "We can say the leak did not happen at the NBEMS level, we have safely handed over the data to MCC. Once the data is shared for counselling, it moves across multiple stakeholders. At this stage, it is not possible to conclusively say where the breach happened," the official said.
The official added that the dataset circulating online appears to contain details only of qualified candidates, which, according to NBEMS, points to the possibility that the leak occurred "further down the chain". "This raises questions because non-qualified candidates' data does not seem to be part of what has surfaced," the official said.
Another NBEMS official said the examination data is handled through a government-empanelled technology partner, with Tata Consultancy Services managing the online application process. However, the official said a breach at that stage appears unlikely. "The data available with the technology partner is primarily for application processing and scorecard publication. That dataset looks very different from what is now being circulated," the official said.
According to NBEMS sources, access to candidate information is tightly restricted, with only a limited number of authorised personnel allowed role-based access and no provision for data retrieval. "The data is officially shared only with state counselling authorities," the official said. NBEMS has submitted its report on the matter to the Health Ministry, and the issue is currently under scrutiny, officials added.
Under the Digital Personal Data Protection (DPDP) Act, 2023, it is the responsibility of organisations that collect and process personal information, including government examination bodies, to ensure that such data is kept secure and used only for its stated purpose.
Cyber security expert Kumud Dubey, Founder Director of Root64 Infosec Research Foundation, said the alleged leak would amount to a serious data protection failure if candidate details have emerged from an official examination platform. "If personal data has gone out from a national-level website, it points to a grave breach and clear non-compliance with the DPDP Act," she said, adding that such lapses could attract penalties.
Dubey also questioned the extent of data collection in examination processes. She said only essential details such as a candidate's name and roll number should be required. "Collecting phone numbers or Aadhaar information goes beyond necessity. The law mandates that data must be collected strictly on a 'need-to-know' basis," she said.
The need-to-know principle means personal data should be accessed, processed, or shared only for a specific and lawful purpose, and only by authorised individuals.
"In practice, this requires strong internal access controls, ensuring that only officials directly involved in examination conduct, evaluation or counselling can view candidate data. Every organisation should have at least one data fiduciary to safeguard data," she said, adding that unrelated departments, vendors, or private counsellors should have no access at all.
She noted that while full enforcement of the Act will begin in November 2026, violations could still draw action, with penalties ranging from Rs 50 crore to Rs 250 crore depending on the severity of the breach.
