More than 50 websites run by a single person are leaking expansive and exhaustive data containing personal information of students including name, phone number, email address, college name, academic qualification, year of passing or year student is currently in and so on. The students in question are from engineering colleges, medical schools, fashion institutes, business schools and even 12th graders.

The domains are run by the same individual who ran the neetdata.com website which was taken down after The Wire reported that it was leaking personal and sensitive data of NEET candidates.

*Disclaimer: The name of the individual and the website URLs have not been mentioned in the interest of protecting the privacy of students whose data is available on these websites.

The domains are a treasure trove of personal data for advertisers who want to market their institutions and coaching classes to aspiring students. The largest data troves are those of engineering students enrolled in colleges and universities across the country: Uttar Pradesh, Tamil Nadu, Karnataka, Telangana, Andhra Pradesh, Madhya Pradesh, West Bengal, Maharashtra, Gujarat, Haryana.

Names and other personal details have been blacked out for security reasons.

The data belongs to hundreds of private as well as government colleges from these states. The domains provide downloadable excel sheets containing personal data including full name, phone number, email address, college name and the year the student is in. Large amounts of data belong who B.Tech students in their final year, who private colleges and coaching institutions market to, in order to lure them into enrolling in their own institutions for higher degrees.

For instance, one domain which contains personal data of engineering students from Tamil Nadu enlists data of students from 81 engineering colleges in the state. Personal data of anywhere between 200-800 students is available for each college, which means data of hundreds of thousands of students’ data is available. Another domain contains personal data of over 21,000 engineering students again in Tamil Nadu.

Engineering students are not the only ones whose data is out there for sale. Data of students in every possible field of education which warrants coaching classes or further studies are available. Colleges and institutions in large states like Maharashtra, Tamil Nadu, and Karnataka are available, indicating the scale of the breach.

Data for sale — lots of it

In most cases of the domains scoured by MediaNama, the domain owners withheld the last three digits of the phone number and three characters of the email address of the students ‘for security reasons’, although this is clearly how advertisers are incentivised to pay for the data. A sample dataset will be available by contacting the domain owner, who will further provide the complete data for a payment.

A typical datasheet from a domain describes the advantages of the database — the website brags that the domain provides data with college name, which enables people to “target students to join in Group rather than Individually.” It further says that “if u can convince one person from the college to join with you, you can easily convince some other students also to join by refering the first student name who is going to join with you. Imagine when you send an SMS or Email to 30,000 current final year students, even if 1% of students join with you also, you get 300 admissions. Just by convincing 1% students, you get 300 admissions.”

The websites are rife with ‘testimonials’ from coaching institutes, advertising solutions firms and individuals complimenting the owner for the ‘very effective’ database because of which they ‘got more students enrolled’, ‘made us reach our branch marketing targets’, ‘got more enquiries’.

This domain enlists 81 colleges from Tamil Nadu; data for all colleges in downloadable in excel sheets.
The domain name and details of the owner have been blurred for security concerns.

Having browsed the domains extensively, we have calculated that from Tamil Nadu alone, data of students enrolled in at least 400 engineering colleges is being leaked. The number of students’ for whom data is available for each college varies anywhere between 150-1000. Even if we are being judicious and counting the minimum number, i.e. 150 students, for each college, at least over 60,000 students have their data out there. Of course, the actual number is many folds higher.

Data leak of underage students

Data of lakhs of underage students who appeared for Class XII examinations in 2018 is available on just one domain. Personal information including full name, parents’ full names, partial mobile number and phone number, gender, district and state are available. The domain is leaking 28 lakh students’ data belonging to 22 state boards and data of almost 9 lakh students belonging to 17 states, who appeared for CBSE Class XII exams. In all, data of 37 lakh students who appeared for their higher secondary exams in 2018 is up for sale.

On one domain, data of Class XII students belonging to different states who had applied for fashion courses is available for sale. The domain main page says “Some of the India’s biggest colleges trust us for their database needs – along with top consultants. Our database prices will be on the higher end, no doubt. But YES, because of that reason, limited clients will have access to our database and that gives scope to have good conversions.”

The personal data includes full name, partial phone number, and address, parents’ full name, Pincode and state he/she belongs to. This data is available for 13,000 Class XII students, some of whom are possibly underage.

Data leak of engineering and MBA candidates

Data of those who had appeared for Joint Entrance Exam 2018 from 24 states is available for sale. To indicate the scale of the leak,  from Maharashtra alone, data of 6,500 candidates is available for sale. JEE is an annual nation-wide competitive exam conducted by the Central Board for Secondary Education (CBSE) for entrance into engineering courses in private and government colleges across the country. The data again includes name, parents’ name, roll number for JEE exam, gender, mobile number, email address, and the state they belong to. Data of over 13,000 applicants who appeared MAT for admission in B-schools is available on one domain. MAT is also an annual nationwide exam conducted by All India Management Association.

The domain name has been blacked to protect students’ data.

Woah, isn’t this illegal?

It is illegal, just not illegal enough.

While Sections 43A and Sections 72A of the IT Act (2008) cover some aspects of a data leak, they are hardly ever used. Section 43A holds the bodies which stores and manages data liable in case of “negligence in implementing and maintaining reasonable security practices.” Section 72A provides for punishment of the agency of an intermediary body for disclosure of personal data without consent and/or any breach of personal or sensitive data.

Per the IT Act 2008, the conveners of these competitive exams, which are the state education boards, CBSE, All India Management Association, and so on are to be held responsible for the breach of sensitive data of what is now totaled to lakhs of individuals, many of whom are or were underage.

The above provisions have been active since IT Act 2008, but clearly are not enough for protection of sensitive data. A data protection law headed by (Retd.) Justice Srikrishna has been in the works for a year; the report is expected to release later this month.

This is a developing story and we will updating as events unfold.