More than a thousand databases containing Indian students’ data spanning nearly a decade, including the 2026 Common University Entrance Test (CUET-UG), have been found for sale on the internet. This massive leak exposes serious privacy and security risks for millions of students and raises questions about data governance in educational institutions.
- Over 1.5 million student records from 2026 exams leaked
- Data span nearly a decade from multiple government and private sources
- Affected individuals unaware and unable to prevent misuse
What happened
A large volume of Indian students’ personally identifiable information (PII) and academic records have been discovered for sale on the open internet through more than 1,000 databases. These include data from major exams such as the 2026 CUET-UG as well as various government examinations and private coaching institutes. The leak covers nearly ten years of student data.
The accuracy of the leaked data was independently verified through direct contact with multiple affected students and parents, who confirmed that their details were correctly listed and they were unaware of the data’s exposure. One prominent example includes the 2026 CUET-UG database, reportedly containing over 1.5 million student records sold for approximately Rs 6,999.
Why it matters
This extensive data breach raises wide-ranging concerns regarding consent, privacy, and cybersecurity within the Indian education ecosystem. The leaking and trafficking of sensitive student information undermines trust in exam authorities and institutions responsible for safeguarding this data. Victims expressed feelings of helplessness in the face of exploitation beyond their control.
The leak is not a singular incident but reflects a systemic failure as data from at least 41 different examination and institute databases are implicated. This signifies deep-rooted vulnerabilities in data protection practices and highlights the urgent need for regulatory intervention and robust enforcement of data privacy standards.
What to watch next
Stakeholders including educational boards, coaching institutes, and government regulators will likely need to investigate the origins and extent of these breaches and implement stricter controls to prevent future occurrences. There is an increasing demand for transparent communication with affected students and comprehensive measures to protect their identities and data.
Regulators and policymakers may consider revisiting data privacy frameworks and enforcement mechanisms tailored for the education sector. Furthermore, monitoring the online black market for student data and dismantling illicit sales platforms will be critical to stemming this ongoing threat.