Several websites are openly selling databases containing the personal details of students who sat for national entrance and school board examinations this year. The unchecked trade has raised fresh concerns over student privacy safeguards just as the Digital Personal Data Protection (DPDP) Act is being rolled out in phases.

Websites such as studentdataprovider.com, studentsdatabases.com, studentdatahub.com, studentsdatabase.net, bulkstudentdata.com, and studentdatabaseindia.com are advertising student registries to universities and admission consultants for enrolment outreach and lead generation. Prices range from ₹1,000 to ₹10,000, depending on the database size and demographic filters.
One listing on studentdataprovider.com fields a “CUET-2026 Exam Database” containing more than 1.5 million candidate records. The leaked fields include application numbers, candidate names, mobile numbers, email addresses, parents’ names, dates of birth, gender, and quota categories.
The portal shared a free sample containing details of 500 candidates who appeared for the Common University Entrance Test for Undergraduate (CUET-UG) 2026, conducted by the National Testing Agency (NTA) between May 11 and June 7, with results declared on June 23.
The sale runs contrary to the intent of the DPDP Act, under which personal data must only be processed for the specific purpose for which it was collected and generally with individual consent. The law, which received Presidential assent in August 2023, provides for penalties of up to ₹250 crore for violations. While key compliance obligations for organizations handling personal data are scheduled to take effect in May 2027, the government dropped a proposal to advance the timeline following industry pushback.
{{/usCountry}}The sale runs contrary to the intent of the DPDP Act, under which personal data must only be processed for the specific purpose for which it was collected and generally with individual consent. The law, which received Presidential assent in August 2023, provides for penalties of up to ₹250 crore for violations. While key compliance obligations for organizations handling personal data are scheduled to take effect in May 2027, the government dropped a proposal to advance the timeline following industry pushback.
{{/usCountry}}Students whose details appeared in the registries said they have been flooded with unsolicited calls from private universities and career counsellors nationwide.
“It is frustrating. I don’t know how these websites got my details, but I suspect the websites from where I downloaded study material after registering may have shared my information,” said Aditya Mishra, a Kolkata student who appeared for CUET-UG 2026 and whose details were listed in a free sample.
Vishnu Kant Rai, a Varanasi student aspiring to study BSc (Hons) Physics at Delhi University, said he has received repeated calls from private universities in Uttarakhand, Uttar Pradesh, Punjab, and Haryana. “I have to answer every call because I cannot afford to miss an important one. The government should take action against these websites selling our data,” Rai said.
The data companies defended the practice. Musarrat Shaheen of Delhi-based Bulk Students Data said the firm sells databases to university marketing teams and that “it is not illegal to use the databases for such purposes.” Prathibha of Bengaluru-based studentsdatabase.net said the company procures data “through various vendors” but declined to identify them.
Om Kumar of Noida-based studentdataprovider.com said the firm collects data from “various small websites” to maintain its registry.
Privacy and cybersecurity experts said the sales point to potential data misuse and underscore the need to trace the source. Dhruv Garg, a partner at the Indian Governance and Policy Project (IGAP), said student information collected for exams, counselling, or admissions should not be turned into “a tradable commodity for marketing.”
“The legal consequences will depend on the source of the database. If the data was obtained through unauthorised access, scraping, leakage from an examination body, vendor, coaching platform or university database, provisions of the IT Act dealing with unauthorised access and data extraction may be attracted. If a company or vendor collected this data under a privacy policy or service contract and then sold it without consent, Section 72A of the IT Act may also be relevant. Bulk calls or SMS campaigns using such data must also comply with TRAI’s unsolicited communications framework. The larger issue is that the impacted students may also be minor and exposing their personal information is dangerous,” Garg said.
Keshav Agarwal, president of the educators federation, said the sale warrants an independent forensic investigation to determine whether it resulted from cybersecurity failures or insider compromise. “Student data security must now be treated with the same seriousness as examination security,” Agarwal said.
The NTA stated that it accords the highest priority to candidate privacy, adding that result and credential sharing with universities is done through secure, consent-based application programming interfaces (APIs) on government DigiLocker, National Academic Depository (NAD), and API Setu platforms. A MeitY official said the ministry will check if the matter has been formally reported.