May 23, 2026: Just as the nation comes to terms with the devastating NEET-UG paper leak that shattered the dreams of over 22 lakh students, and exposed a systemic rot, yet another stunning discovery by renowned ethical hacker Avinash Jain, exclusively accessed by EQMint, has now put the focus back on how institutional machinery tasked with protecting confidential data has utterly failed.

Author: Ashish Pareek | EQMint Exclusive

If you thought the systemic incompetence stopped at the examination centers, think again. The very same disregard for operational discipline that allowed the exam mafia to hijack India’s biggest medical entrance test seems to now have infected our financial data regulators.

From compromised centers to awry APIs

Just like the National Testing Agency (NTA) failed to monitor the physical chain of custody for its exam booklets, the developers behind the RBI’s UDGAM portal seem to have completely abandoned basic digital hygiene and API discipline.

The portal was built around the Unclaimed Deposit Reference Number (UDRN), a privacy shield legally mandated by the RBI to keep third parties from identifying the names or exact branches of account holders. But just as the NTA’s secure ‘command chain’ breached on the ground, the RBI UDGAM portal digital perimeter collapsed at runtime.

“What I found wasn’t an exotic exploit, it was a single field in an API response that shouldn’t have been there. That’s what makes it serious. The UDRN, by RBI’s own binding definition, exists so that a third party running a search cannot identify the account holder,” said Jain while describing the issue.

“The moment the response also returns the holder’s full residential address, that entire privacy guarantee is gone. The design was sound. The implementation quietly undid it,” he added.

A simple look at the backend traffic through browser developer tools pulled back the curtain on a massive institutional data spill. A routine call to the backend:

GET /inoperative_account_backend/dor/search-account/{searchId}

Returned raw, unmasked data packages containing exactly what the law promised to hide:

{
  "accountHolderName": "[name]",
  "address": "[full residential address - house number, sector, locality, city, state]",
  "urn": "[UDRN]",
  "bankName": "[bank]"
}

This is an identical institutional failure: The documentation explicitly dictates one strict security standard, while the real-world runtime behavior hands out a toxic goldmine to bad actors.

More than just a data breach : RBI UDGAM portal

The NEET leak disproportionately crushed honest, hard-working students from marginalized backgrounds who couldn’t afford to pay off syndicates. Horrifyingly, this systemic carelessness targeting children is mirrored perfectly in the RBI UDGAM portal breach.

Among the exposed backend data arrays, records were discovered with the flag “MINOR” stamped right out in the open. The portal openly broadcasted children’s full names, exact residential locations, and banking connections to anyone running a basic search. This is a direct, flagrant violation of the heightened safeguards mandated by India’s Digital Personal Data Protection (DPDP) Act, 2023, the exact type of institutional failure that erodes all remaining public trust.

Avinash Jain, who earlier uncovered critical vulnerabilities in IRCTC, where he prevented a data leak affecting millions of Indian users, as well as in NASA, Google, and Yahoo, flagged this as a serious concern.

“The standard wasn’t ambiguous. RBI’s Master Direction from January 2024 says the UDRN must be such that the account holder cannot be identified by any third party. The RBI UDGAM portal user manual lists the displayed output fields as just four things, name, place, bank name, and UDRN. Full residential address isn’t in that list, and it isn’t in any RBI document I could find. What the API was returning didn’t sit somewhere in a grey zone. It was outside every documented standard, including ones that are binding on the banks themselves,” said Jain.

How this affects you

When paper leak cartels got hold of NEET questions, they weaponized them to rig the system. When a cybercriminal ring gets hold of this four-attribute profile (Name + Full KYC Address + Bank Affiliation + Dormancy Status), they unlock a lethal playground for financial warfare:

• Hyper-targeted scam ecosystems: Fraudsters can execute high-credibility vishing calls using real, granular home addresses to pose as RBI or bank branch managers, robbing citizens blind.
• Advanced identity fraud: Malicious actors gain the perfect, verified building blocks needed for identity theft, fraudulent bank account openings, and social-engineered SIM-swap attacks.
• Direct threat to physical safety: A searchable registry that exposes exact home addresses strips away the safety of individuals who relocated specifically to escape stalking, harassment, or domestic abuse.

This explosive disclosure is based entirely on the findings of Avinash Jain, a renowned ethical hacker, leading cybersecurity specialist, and registered RBI UDGAM portal user. The vulnerability details, data payloads, and evidence logs were uncovered and compiled via rigorous technical analysis of the live portal interface, showcasing the alarming divergence between mandated privacy policies and the system’s actual runtime behavior. EQMint does not independently verify these claims.

For more such information visit EQMint

Join our Whatsapp channel for timely updates: Whatsapp