1.5M CUET records allegedly for sale: your DPDP breach playbook for ed-tech and exam contractors
Updated: 10 Jul 2026 · For: SaaS founders, DPOs and growth leads selling to enterprises
What changed
On 9 July 2026, Hindustan Times reported that multiple websites — including studentdataprovider.com — are openly selling registries of national entrance and board-exam candidates. One listing advertises a CUET-2026 database of more than 1.5 million records, with fields such as application numbers, names, mobile numbers, emails, parents' names, dates of birth, gender, and quota categories; a free sample of 500 CUET-UG 2026 candidates was shared publicly. Affected students report unsolicited calls from private universities nationwide. NTA states result-sharing with universities runs through consent-based APIs on DigiLocker, NAD, and API Setu — raising the question of vendor leakage, scraping, or insider compromise rather than authorised disclosure.
What the law is (plain English)
Under the Digital Personal Data Protection Act, 2023, personal data must be processed for specified purposes with valid notice and consent — exam registration data cannot lawfully be repurposed as a tradable marketing list. The DPDP Rules, 2025 operationalise breach intimation duties: data fiduciaries must notify the Data Protection Board and affected individuals when a personal data breach is likely to cause harm. Parallel tracks may apply: Section 43 and Section 72A of the IT Act, 2000 for unauthorised access or breach of lawful contract; TRAI's unsolicited commercial communications framework if bulk SMS or calls follow. Where candidates are minors, heightened care applies. Penalties under DPDP can reach ₹250 crore for security failures and ₹200 crore for processing on invalid notice or consent — figures counsel cites only when enforcement risk is real, not for alarmism.
What it means in practice
Ed-tech platforms, coaching aggregators, admission CRM vendors, and universities buying 'student leads' are now in the enforcement spotlight. Enterprise buyers will ask vendors for data lineage, subprocessors, and breach warranties. If your product captured CUET-adjacent sign-ups, study-material downloads, or counselling forms, investors and regulators will ask whether your privacy notice authorised resale and whether logs prove no exfiltration. SB Tech Associates routinely maps exam-data flows for clients — from registration APIs to outbound diallers — because the liability sits with the fiduciary who collected the data, not the broker who resold it.
What founders should do this week
- Inventory every vendor, coach, CRM, and call-centre with access to student PII — terminate contracts that lack purpose limitation and audit rights
- Pull web logs and admin exports for bulk downloads since May 2026; preserve chain of custody if anomalies appear
- Draft a Board-ready breach assessment: harm to minors, scale, fields exposed, and whether intimation to the Data Protection Board is triggered
- Rewrite admission-outreach consent and vendor DPAs — ban resale, mandate 72-hour processor breach notice, and India-region log retention
- If you purchased any student list since CUET-UG 2026, stop using it and document destruction — possession alone creates diligence and enforcement risk
What can wait
- Full SDF-grade DPIA until you confirm whether your cohort processes data at the scale or sensitivity of exam registries
- Marketing personalisation rebuilds if outbound campaigns are already paused pending legal review
When to call counsel
- A vendor admits data came from 'small websites' or unnamed third parties — you need a formal source-of-data opinion before the next funding or government RFP
- Your logs show bulk exports, shared admin accounts, or a subprocessors list that does not match what students were told at registration
- A university, investor, or regulator asks for breach intimation status and you cannot show a documented harm assessment within 72 hours of discovery
Founder FAQ
Does buying a 'CUET database' from a broker make my university compliant?
No. Purpose-limited exam data cannot be repurposed as purchased marketing leads. Using such lists exposes you to DPDP, IT Act, and TRAI enforcement risk — and due diligence failures in accreditation or franchise reviews.
We only downloaded a free sample — are we still at risk?
Possession and use of leaked personal data can still attract complaints and civil claims, especially where minors are involved. Document deletion, stop outreach, and obtain counsel on whether intimation duties arise from your role as fiduciary or processor.
NTA says it uses secure APIs — does that end our liability as a vendor?
Not automatically. If your coaching portal, PDF unlock, or counselling form fed the leak, your contracts and logs — not NTA's press statement — determine exposure. Counsel should trace lineage from collection to dialler.
SB Tech Associates: General information only — not legal advice. Verify the official notification and obtain counsel for your facts before acting.
Source: Hindustan Times →
Topics: CUET 2026 data breach India, DPDP data breach notification, ed-tech data leak liability India, student database sold online India, NTA data protection compliance, personal data breach playbook India
This publication is for general information only and does not constitute legal advice. Regulatory positions evolve; verify current notifications and obtain counsel before acting. © 2026 SB Tech Associates.