malware attack
1.5 million leaked students’ confidential data up for sale online for about Rs 60,000REUTERS/Kacper Pempel

Confidential personal information of as many as 1.5 million students, who have appeared for various exams since 2009, has been leaked online. Not just that, this information can be easily bought too if you are ready to shell out anything between Rs 1,000 and Rs 60,000.

Also read: CBSE Class 12 results withheld

While a few samples are available free of cost, the source of this information is yet unknown, reported LiveMint. However, it is also being said that boards and universities may have a role to play in it. Students who appeared for entrance exams – MBA, medical, engineering – and even a few board exams seem to have been affected the most by this leak.

The leaked information includes names, genders, email IDs, phone numbers, complete postal address, scores, and percentile. Surprisingly, some of the buyers seeking the information are reportedly business schools.

"On average, I get three to four calls every day from representatives of various B-schools... the frequency is at its peak in the months of April-June probably because a lot of students are left without admits from premier B-schools at that point in time and these institutes are left with a lot of seats to fill before their academic session starts..." the website quoted Shashank Prabhu, who appeared for MBA entrance exams in 2010-11, as saying.

Hacking
Reuters

Meanwhile, Common Admission Test organisers are in the dark about the leak and said that these details about applicants are not even accessible to the faculty members of the colleges.

"The CAT centre respects the privacy of all CAT takers, and does not share any data of the test takers with anyone, except with the IIMs and the non-IIM member institutions as listed on the CAT website," the site said, quoting a spokesperson of IIM Bangalore. "Even while sharing the CAT scores with the non-IIM member institutions, we do not share any contact details (like address, mobile number, email ID etc) with them."

The sale of such data is against the law unless students were specifically told that the information would later be shared with others or sold. "The IT Act mandates that while collecting information, there is a need to declare the purpose of collation of sensitive information and need to protect the information thereafter... and there is a need to have consent from individual on usage of the information," Atul Gupta, partner and cybersecurity lead at KPMG India, told the website.