Data PrivacyThe Data Breach Saga: CAT Candidates’ Personal Data Exposed On The Dark Web

July 16, 20210


The protection of the Right to Privacy is of crucial importance, especially with the overall increase of online presence, as the misuse of personal information without people’s knowledge and consent can disclose the identities of the masses on a large scale.

A similar instance occurred in the Facebook-Cambridge Analytica Data Scandal, where a British counselling company, Cambridge Analytica, harvested the data of millions of Facebook users without their consent. The personal data was used for political advertising for the purpose of creating a better image and credibility, ultimately resulting in elections that were not only unlawful but also went against the very spirit of democracy.

Most body corporates, today, collect sensitive personal information and, therefore, must be responsible and accountable while maintaining the record of such data and should be extremely conscious in the protection of such sensitive data.

In this backdrop of rampant data breaches occurring across the globe, one such data breach that caught the attention of the public eye in India was the data breach of the candidates appearing for  Common Admission Test, 2020 (CAT).


Recently, in May 2021, the Threat Intelligence Team of CouldSEK, an Indian Cyber Security and Machine Intelligence Company, confirmed that the data of 2,00,000 candidates appearing for the Common Admission Test, 2020 (CAT) was leaked and put on sale on the Dark Web market. The compromised data included sensitive personal data such as the candidates’ names, dates of birth, email IDs, mobile numbers, and addresses. In addition to this, the candidates’ 10th and 12th grade results, details of their Bachelor’s degrees as well as their CAT percentile scores were also leaked. It is also important to note that this is not the first time that such kind of breach or negligence has occurred in India.

In 2019 as well, a similar data breach occurred wherein the data of 1,90,000 candidates appearing in CAT was breached. However, at the time, the Government was not in a situation to take any action due to the lack of legislative framework governing data protection in India. Even now, the Information Technology Act, 2000 (“IT Act”) is the only framework that contains certain provisions pertaining to the protection of sensitive personal information.

Section 2(i) of the Notification of Ministry of Communication and Information Technology dated 11th April 2011, defines “Personal Information” as

“any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”

Thus, the data of the candidates which has been breached/leaked clearly falls under the category of ‘personal information’.

It is not only the duty of the State to protect such personal information & data but also the duty of the company/body corporate storing and/or processing such sensitive personal information to maintain adequate protection and security standards for the same.

Section 43A of the IT Act says that if a body corporate is dealing in or maintaining the records of sensitive personal information, it is also responsible for maintaining reasonable security measures/protocols to protect it. If the body corporate fails to take reasonable care, it would be held liable to pay compensation for the same.

In this recent data breach of CAT, 2020 candidates’ personal data, there is a dire need for a proper investigation to hold the relevant body corporate liable. On the other hand, the State should also use this opportunity to take a critical stand for the measures that should be in place for the protection of such sensitive personal information without fail. Moreover, this situation has also highlighted the immediate and imminent necessity of putting in place stricter laws and implementing the same rigorously, making such acts of negligence criminally liable.



Presently, such data breaches and the protection of data overall is governed by a part of the IT Act, which is evidently not enough for regulating the protection of sensitive personal information. Section 72A of the IT Act vaguely covers the crime of intentionally disclosing the information of a person without his/her consent but the provision primarily focuses on the breach of a lawful contract, thereby rendering it vague and insufficient to govern the general disclosure of sensitive personal information without the owner’s consent.

Although the Supreme Court of India has recognised the Right to Privacy as a Fundamental Right which was read into Article 21 of the Indian Constitution , at present, India does not have any specific legislation that governs the preservation of privacy and the protection of personal data. The Personal Data Protection Bill, 2019 (PDPB) has been introduced in the Parliament for discussion, but it is yet to be passed and formally enacted. On the other hand, India is a signatory to several International Conventions and Declarations such as the Universal Declaration of Human Rights and International Covenant on Civil and Political Rights, which recognise the Right to Privacy as an important part of human existence. However, the absence of any specific law enforcing the Right to Privacy in India, it leaves a huge void to be filled and leaves a lot of room for the possibility that the efforts being made for the increased and better protection of personal data would be nullified.



Since the very hallmark of ‘personal information’ is that it helps in identifying a person from others, the concerned person/owner of such information should have the right to decide whether to share such information or not. If such information is taken and/or disclosed without his/her consent, then the action should be governed by an extensive legislative framework like the PDPB which will ensure the protection of the Right to Privacy and the protection of sensitive personal information.

At present, the Indian Legal System has a major lacuna when it comes to a holistic and comprehensive Data Protection Framework that would ensure the privacy of Indian citizens. The Government is constantly witnessing the drastic consequences of several large scale data breaches, amounting to the violation of the Fundamental Right to Privacy of the masses.

Due to a lack of legislative framework governing the arena of Data Protection and Data Privacy, the State has, so far, been unable to take any concrete action against such Data Breaches. However, the enactment of the Personal Data Protection Act will usher in long-awaited changes in the legislative framework governing Data Protection & Security, resulting in better and increased protection of the people’s Right to Privacy.


For any query or feedback, please feel free to connect with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.