CBSE’s On Screen Marking System Faces Cybersecurity Scrutiny Amid Data Exposure Claims
The Central Board of Secondary Education (CBSE) is embroiled in a growing controversy over alleged cybersecurity lapses in its On Screen Marking (OSM) system, which critics say have exposed sensitive student data, including scanned answer sheets and question papers. Independent developers and ethical hackers have publicly flagged vulnerabilities, prompting calls for urgent intervention by the National Human Rights Commission (NHRC).
Android developer Sidharth alleged on X (formerly Twitter) that the OSM portals, developed by EduTek, were "fundamentally insecure," citing default passwords, remote code execution (RCE) flaws via URLs, and weak MD5 hashing. Separately, 19-year-old software engineer Nisarga Adhikary claimed that misconfigured AWS storage buckets linked to CBSE allowed unrestricted access to over 2,000 scanned answer sheets and question papers, enabling downloads by anyone online. Adhikary had previously reported breaching parts of CBSE’s digital evaluation infrastructure.
In response, CBSE stated that vulnerabilities in the service provider’s portal had been "contained" and that cybersecurity specialists from government agencies and IITs were deployed to bolster security. The board acknowledged monitoring public disclosures of flaws and thanked "ethical hackers" for their reports but did not address the AWS exposure claims directly.
Activist and advocate Anubha Shrivastava Sahai has petitioned the NHRC, urging it to take suo motu cognizance of the issue. She warned that ongoing OSM disruptions could disrupt admissions, scholarships, and educational opportunities for thousands of students, calling for alternative grievance mechanisms, deadline extensions, and protections against penalties due to technological failures. The NHRC has been asked to seek reports from CBSE and the Education Ministry.
Edu Tek Ltd. cybersecurity rating report: https://www.rankiteo.com/company/etltd
"id": "ETL1780280796",
"linkid": "etltd",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Thousands of students',
'industry': 'Education',
'location': 'India',
'name': 'Central Board of Secondary Education (CBSE)',
'size': 'Large',
'type': 'Government Education Board'},
{'industry': 'Education Technology',
'name': 'EduTek',
'type': 'Service Provider'}],
'attack_vector': ['Remote Code Execution (RCE)',
'Misconfigured AWS Storage Buckets'],
'data_breach': {'data_encryption': 'Weak (MD5 hashing)',
'data_exfiltration': 'Yes (unrestricted downloads)',
'file_types_exposed': ['Scanned documents'],
'number_of_records_exposed': 'Over 2,000 scanned answer '
'sheets and question papers',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information of students)',
'type_of_data_compromised': ['Scanned answer sheets',
'Question papers',
'Student data']},
'description': 'The Central Board of Secondary Education (CBSE) is embroiled '
'in a growing controversy over alleged cybersecurity lapses in '
'its On Screen Marking (OSM) system, which critics say have '
'exposed sensitive student data, including scanned answer '
'sheets and question papers. Independent developers and '
'ethical hackers have publicly flagged vulnerabilities, '
'prompting calls for urgent intervention by the National Human '
'Rights Commission (NHRC).',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Sensitive student data, including scanned '
'answer sheets and question papers',
'identity_theft_risk': 'High (student data exposed)',
'legal_liabilities': 'Potential regulatory and legal actions',
'operational_impact': 'Potential disruptions to admissions, '
'scholarships, and educational opportunities',
'systems_affected': ['On Screen Marking (OSM) system',
'AWS storage buckets']},
'investigation_status': 'Ongoing',
'motivation': 'Ethical disclosure / Unauthorized access',
'post_incident_analysis': {'root_causes': ['Default passwords',
'Weak MD5 hashing',
'Misconfigured AWS storage '
'buckets']},
'recommendations': ['Urgent security audit',
'Alternative grievance mechanisms',
'Deadline extensions for students',
'Protections against penalties due to technological '
'failures'],
'references': [{'source': 'Sidharth (Android developer) on X (Twitter)'},
{'source': 'Nisarga Adhikary (Software engineer)'},
{'source': 'CBSE Official Statement'},
{'source': 'Anubha Shrivastava Sahai (Activist and Advocate)'}],
'regulatory_compliance': {'legal_actions': 'Petition filed with the National '
'Human Rights Commission (NHRC)',
'regulatory_notifications': 'NHRC asked to seek '
'reports from CBSE and '
'the Education '
'Ministry'},
'response': {'communication_strategy': 'Public acknowledgment of '
'vulnerabilities and thanks to ethical '
'hackers',
'containment_measures': 'Vulnerabilities in the service '
'provider’s portal contained',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Deployment of cybersecurity specialists',
'third_party_assistance': 'Cybersecurity specialists from '
'government agencies and IITs'},
'stakeholder_advisories': 'NHRC urged to intervene; reports sought from CBSE '
'and Education Ministry',
'threat_actor': ['Independent developers', 'Ethical hackers'],
'title': 'CBSE’s On Screen Marking System Faces Cybersecurity Scrutiny Amid '
'Data Exposure Claims',
'type': 'Data Exposure',
'vulnerability_exploited': ['Default passwords',
'Weak MD5 hashing',
'Unrestricted access to AWS buckets']}