The phone numbers, email IDs and addresses of hundreds of thousands of applicants who took the National Eligibility and Entrance Test (NEET) in 2018 were available online, for a payment of up to Rs 2 lakh, The Wire has reported.

Neetdata.com, the website in question, has since been taken down. NEET in a medical entrance exam for MBBS and BDS (dental courses) for admission into various private and government colleges throughout the country. The exam is convened by the Central Board for Secondary Education (CBSE) every year.

The website provided the above data of NEET applicants from at least upto 15 states, including significantly larger states such as Maharashtra, Andhra Pradesh, Karnataka and so on. The Wire report clarifies that the website did not offer the entire ‘NEET database’, as over 13 lakh individuals took NEET in 2018, while the data of 2.4 lakh people was available for purchase.

Note that the NEET exam is conducted for MBBS and BDS programmes for students who have passed Class XII. There is a high likelihood that the leak included sensitive personal data of underage candidates, as the corresponding age while appearing for Class XII is usually 17 or 18 years.

According to The Wire, which scoured the database, the website opened with a statement proposing the sale of such data: “Many consultants across India trust us for their database needs. Our database prices will be on the higher prices, no doubt. But YES, because of that reason, limited clients will have access to our database and that gives scope to have good conversions.”

The information available was provided a complete picture of applicants: student name, their NEET score, ranking, complete address, date of birth, mobile number and email ID. This data was available to anybody for a payment. The website also withheld the last three digits of the applicant’s mobile number, which is an incentive to make interested parties pay up for the complete data.

Data available for payment

The Wire also cross-verified the data with the applicants and found it to be genuine. The broker offered prices for data: Rs. 2.4 lakh for personal data of 2 lakh applicants.

Possible buyers are training/coaching institutes and private medical colleges which lure students who did not crack the NEET to join their coaching or medical schools. In 2017, there was a similar breach of exhaustive personal data candidates for MBA entrances (CAT, MAT, CMAT and so on) and some engineering and medical entrance tests. According to this Livemint report, some of the buyers in that case were business schools, who try to make the most of students who could not get admission to premier B-schools. The conveners of CAT, an annual competitive exam, are established B-schools such as IIM-Ahmedabad in 2015 and IIM-Bangalore in 2016. These institutions were clueless about the leaks, and said that “even the even the faculty members of IIMs do not have access to it use it.”

Isn’t this illegal?

It is illegal, but not illegal enough.

While Sections 43A and Sections 72A of the IT Act (2008) cover some aspects of a data leak, they are hardly ever used. Section 43A holds the bodies which stores and manages data liable in case of “negligency in implementing and maintaining reasonable security practices.” Section 72A provides for punishment of the agency of intermediary body for disclosure of personal data without consent and/or any breach of personal or sensitive data.

The above provisions have been active since IT Act 2008, but clearly are not enough for protection of sensitive data. A data protection law headed by (Retd.) Justice Srikrishna has been in the works since a year; the report is expected to release later this month.

The plague of data breaches lately

India has been flooded with data breaches from government repositories lately and Andhra Pradesh has come out on top for exposing medical, caste, and geographic data of its citizens. Throughout June, breaches containing troves of data identifying individuals were reported. Here’s a look at what data was vulnerable.

An unsecured AP government portal exposed the names and numbers of all the people who had purchased medicines from the government-run generic medical stores — Anna Sanjivini Stores. The leak contained logs of Order ID, the Store Operator ID, Customer name, Customer phone number, details of the medicines, and the money paid, for each order. Details of people who had purchased Suhagra, a generic version of Viagra (a drug used to treat erectile dysfunction) were leaked as well.

It emerged that a state government portal which tracked ambulances in real-time was vulnerable and could be accessed by anybody with an internet connection. The portal was monitoring the movement of these vehicles and had sensitive information about the patient — such as the pick-up point, why the ambulance was called, and the hospital to which the patient was taken. Such knowledge and data gathering also raised concerns over the kind of data collected by state governments.

Details of up to 4.5 crore citizens — right from their phone numbers, insurance status, and home addresses — were exposed on a state government portal, accessible with only an Aadhaar number. All the data collected under Praja Sadhikhara Survey or Smart Pulse Survey, which is an extensive database of socio-economic and demographic data of citizens and seeded with Aadhaar, was open for access.

Read all our coverage of Andhra Pradesh data leaks here.