Personal details of students who appeared for national entrance and school board examinations this year are being openly sold on multiple websites, raising serious concerns over student privacy and data security at a time when the Digital Personal Data Protection (DPDP) Act is being rolled out in phases.
Several websites, including studentdataprovider.com, studentsdatabases.com, studentdatahub.com, studentsdatabase.net, bulkstudentdata.com, and studentdatabaseindia.com, are advertising databases of students to universities, colleges and admission consultants for enrolment outreach and lead generation. The databases are priced between Rs 1,000 and Rs 10,000, depending on their size and the demographic filters selected.
One listing on studentdataprovider.com advertises a "CUET-2026 Exam Database" containing details of more than 15 lakh candidates. The data fields listed include application numbers, candidate names, mobile numbers, email addresses, parents' names, dates of birth, gender, and quota categories.
The website also shared a free sample containing the details of 500 candidates who appeared for the Common University Entrance Test for Undergraduate (CUET-UG) 2026. The examination was conducted by the National Testing Agency (NTA) between May 13 and June 3, and the results were declared on July 4.
The sale of such databases appears to run contrary to the principles of the Digital Personal Data Protection Act, which requires personal data to be processed only for the purpose for which it was collected and, in most cases, with the individual's consent.
The legislation, which received Presidential assent in August 2023, provides for penalties of up to Rs 250 crore for violations. However, key compliance obligations for organisations handling personal data are scheduled to come into force in May 2027 after the government deferred an earlier proposal to accelerate implementation.
Keshav Agarwal, president of the educators federation, calling the sale of candidate data alarming said, "Student data security must now be treated with the same seriousness as examination security. The NTA needs to investigate this issue seriously as CUET data is collected by it and data cannot go out on its own. Such accurate data leaks point to either major cybersecurity failures, insider compromise, or both-something only an independent forensic investigation can determine."
The NTA maintains that protecting candidates' personal information remains its highest priority. It added that the sharing of examination credentials and results with universities is carried out only through secure, consent-based application programming interfaces (APIs) integrated with government platforms such as DigiLocker, the National Academic Depository (NAD), and API Setu.