Data of Hundreds of Thousands of NEET Candidates Leaked Online, Put up for Sale

The leak is part of both a broader trend of how data brokers operate on the grey margins of India’s digital advertising industry and a more specific and pressing issue of how data leaks by official sources help in the invasion of privacy. 

New Delhi: The phone numbers, email IDs and addresses of hundreds of thousands of applicants who took the National Eligibility and Entrance Test (NEET) in 2018 are available online, if you’re willing to pay up to Rs 2 lakh.

The websites that offer this personal data for a price are part of both a broader trend of how data brokers operate on the grey margins of India’s digital advertising industry and a more specific and pressing issue of how data leaks by official sources help in the invasion of privacy. 

Consider ‘official-medical-student-data.com’*.

If you log on, it opens right away with its business proposition: “Many consultants across India trust us for their database needs. Our database prices will be on the higher prices, no doubt. But YES, because of that reason, limited clients will have access to our database and that gives scope to have good conversions.”

A snapshot of the illicit data broker website. Data of students who have taken the NEET exam organised region-wise. Credit: The Wire

The information available is exhaustive: student name, their NEET score, ranking, complete address, date of birth, mobile number and email ID.

The catch, of course, is that you have to pay to access the full data. The website redacts the last three digits of each applicant’s mobile number for what it calls “security reasons”, but is, in fact, a way to make sure that prospective advertisers, marketers or brokers (who need the data) pay up.

The service offers interested buyers a chance to verify whether the data is genuine.

The Wire undertook this process twice, which involves messaging the website operator three random entries from the whole list. The operator, in turn, then messages the free sample of data over WhatsApp.

When The Wire spoke to students and NEET applicants, they all confirmed their personal details, indicating that the data up for sale is genuine.

After buyers are satisfied, the data broker offers a price: Rs 2.4 lakh for the personal data of 2 lakh students, this works out a little over Re 1 for each individual’s information.

Tracking the leak

The source of this data isn’t clear, although there are several possible ones: the Central Board of Secondary Education (CBSE), which is the body in charge of the examination, various universities and colleges or even the vast network of prep schools that teach students and candidates how to crack the NEET. 

It is possible that the data broker who operates the website also gathered the data illicitly through a leak that had been made public accidentally or managing to take advantage of faulty security.

What could help identify the source of data up for sale is the fact that this website doesn’t offer the whole ‘NEET database’ as it were. The number of candidates who wrote NEET in 2018 was a little over 13 lakh – the data of only 2.4 lakh of those people is available for purchase.

Who are the buyers?

The data brokerage industry in India is not new, for either specific niches (like education) or general (a list containing the personal data of all high-net-worth individuals in Bangalore).

In 2017, The Wire and other media publications reported how the data of over 1.5 million students who had appeared for various MBA entrance exams were available for a price on websites such as ‘stduentsdatabase.in’, ‘kensils.co.in’ and ‘allstudentdatabse.in’.

The point of many of these databases that are floating around online is that it serves as a goldmine for universities, colleges and preparatory schools that are looking to contact students who didn’t crack the entrance exams that they hoped they would. For instance, medically-inclined students who failed to crack the NEET are likely to be looking for similar biology-related courses or for training schools that could help them pass the exam next year.

One NEET applicant, whose data was exposed in this leak and who wrote the exam for the second time this year, told The Wire that she had already been receiving calls from prep institutes and other colleges for potential admission.

“I get around four to five calls every day over the last month or so, since NEET results came out, asking me to join other colleges for admission in a different course,” said a student, who only wanted to be identified as a medical aspirant from Uttar Pradesh.

In the past year, The Economic Times and FactorDaily have done detailed investigations into the digital data brokerages of India: this grey industry, which calls itself everything from “customer engagement” to “marketing automation” can sink its teeth into every category of individual.

But the quality and bounded nature of the dataset determine its market value: for instance, one publication noted that it was able to get the private details of one lakh high-net-worth individuals in Bangalore for just Rs 7,000. While useful, it may not result in what the industry calls “conversions” – a metric that tracks whether advertising or marketing has translated into sales.

Specific databases are likely to be worth more or result in potentially higher conversions. For instance, Livemint noted that data of hundreds of thousands of students who had appeared for MBA examinations was worth Rs 60,000.

Legal or not?

A wave of privacy breaches and data leaks have hit India over the last three year, as India’s internet penetration has skyrocketed past shoddy standards of information and cyber security.

In early 2017, The Wire reported that numerous government websites exposed the private details of millions of Indian citizens. The private sector wasn’t far behind, with several major companies having experienced embarrassing data breaches. While most of these leaks were closed, authorities are yet to hold anyone accountable.

While Sections 43A and Sections 72A of the IT Act cover some aspects of a data leak, they are hardly ever used.

While a data protection law is in the works, as The Wire’s reporting has shown that the government is unconcerned at best (and apathetic at worst) to the issue of assigning liability in the aftermath of privacy violations.

On Tuesday morning, Prime Minister Narendra Modi illuminated this fact, tweeting a letter from a class 12 student that made public her personal data including email ID and mobile number.

“Thank you Sakshi for this wonderful letter. I am glad that #ExamWarriors helped you during your exam preparations,” the prime minister said, referring to the book he wrote for students, while forgetting to mask her private details.

*The Wire is withholding the exact name/address of the website in question until it has been taken down.