1.5 million students’ data leaked online, put up for sale for up to Rs60,000
New Delhi: Phone numbers, email ID and addresses of at least 1.5 million students are available for a price, although it isn’t clear how this happened.
For between Rs1,000 and Rs60,000 it is possible to get information on at least 1.5 million students who appeared for examinations of several types since 2009.
From the datasheets—samples are available for free—on websites such as studentsdatabase.in, kenils.co.in, and allstudentdatabase.in, it is clear that the students whose information is being sold have appeared for MBA entrance tests (CAT, MAT, MBA CET, CMAT, XAT, and others), some engineering and medical entrance tests, Class X or Class XII board examinations (only some boards), or final year examinations at some universities (Lucknow, Pune).
The source of this data isn’t clear, although there are several possible ones: the board, university or body in-charge of the examination; or the ubiquitous prep schools that prepare students for these tests.
None of the websites responded to queries.
The information available is exhaustive: student name, score, percentile, gender, category, complete address, mobile number, and email ID. Some of that is unlikely to change, making even older data valuable.
Some of the buyers of this data are business schools.
“On average, I get three to four calls every day from representatives of various B-schools… the frequency is at its peak in the months of April-June probably because a lot of students are left without admits from premier B-schools at that point in time and these institutes are left with a lot of seats to fill before their academic session starts...” said Shashank Prabhu, who appeared for MBA entrance exams in 2010-11 and graduated from FMS Delhi in 2013. He is now the founder of LearningRoots, a training institute for Common Admission Test (CAT).
There’s no doubt that the sale of this data is in violation of the law—unless students providing the data were told at the time that it could be collated and shared or sold later. The onus, according to law, is on the entity collecting the data, said an expert.
“The IT Act includes Sec 43A, which specifically covers the measures required to be followed by any entity which is collating sensitive information from individuals…The act mandates that while collecting information, there is a need to declare the purpose of collation of sensitive information and need to protect the information thereafter… and there is a need to have consent from individual on usage of the information,” said Atul Gupta, partner and cybersecurity lead at KPMG India.
The conveners of CAT are clueless about the data being publicly available.
IIM Ahmedabad professor and CAT 2015 convener Tathagata Bandyopadhyay says that “the data is supposed to be strictly confidential and even the faculty members of IIMs do not have access to it use it.”
IIM Bangalore was the convener of CAT 2016. An institute spokesperson said: “The CAT centre respects the privacy of all CAT takers, and does not share any data of the test takers with anyone, except with the IIMs and the non-IIM member institutions as listed on the CAT website. Even while sharing the CAT scores with the non-IIM member institutions, we do not share any contact details (like address, mobile number, email ID etc) with them.”
A spokesperson for All India Management Association (AIMA), which conducts the Management Aptitude Test (MAT), declined to comment.
The Directorate of Technical Education that conducts Maharashtra MBA CET 2016, Central Board of Secondary Education that conducts National Eligibility cum Entrance Test (NEET) and JEE and XLRI that conducts XAT, did not respond to e-mails seeking comment.
“Any individual whose information is included in the database and is in violation of the reason why the information was provided, can seek legal recourse,” added Gupta.