News
CBSE OnMark Portal Flaws Shift Scrutiny to Vendor Control
<p>The CBSE OnMark portal vulnerabilities that the board says it has contained are no longer only a website-security story. They test whether India&#8217;s biggest school board can prove that outsourced digital evaluation, cloud storage and student data controls are fit for exam records that decide college admissions.</p>
<p>On May 31, the Central Board of Secondary Education (CBSE, India&#8217;s national school board under the Ministry of Education) said an expert team from government arms and the Indian Institutes of Technology (IITs, public engineering institutes) had been deployed to secure the OnMark system, according to <a href='https://newsonair.gov.in/cbse-deploys-cybersecurity-experts-and-iit-teams-to-secure-onmark-portal/' target='_blank' rel='noopener'>the board&#8217;s public cybersecurity statement</a>. The harder test begins after containment: who controlled the system, who audited it, and who can show students that no answer-book record was altered or exposed.</p>
<h2>A Containment Notice Leaves a Bigger Burden of Proof</h2>
<p>The board&#8217;s language matters. It did not say only that a rumour had been answered, as it had done in an earlier phase of the row. It said identified vulnerabilities in the OnMark portal of its service provider had been contained, and that other exploitable weaknesses were being ruled out.</p>
<p>That wording moves the case from denial to verification. A contained flaw can still leave behind questions about access logs, password resets, file downloads, examiner accounts and whether any sensitive student material was available beyond the people who needed it.</p>
<ul>
<li><strong>May 31:</strong> the board said identified weaknesses were contained and further checks were under way.</li>
<li><strong>February 25:</strong> Internet Freedom Foundation says researcher Nisarga Adhikary disclosed five vulnerabilities to the Indian Computer Emergency Response Team.</li>
<li><strong>Nearly 46 lakh:</strong> CBSE said its Class X and Class XII board examinations cover that many students across India and 26 countries.</li>
<li><strong>116 subjects:</strong> the board&#8217;s OSM FAQ says marking schemes for all subjects were uploaded to the evaluation portal.</li>
</ul>
<p>The board can still show that no student was harmed. But the evidence has to be technical, dated and public enough for parents, schools and evaluators to understand.</p>
<figure class="wp-block-image aligncenter featured-image" style="margin:1.5em auto;text-align:center;"><img class="aligncenter" src="https://budgyapp.com/wp-content/uploads/2026/06/cbse-onmark-portal-vulnerabilities-raise-student-data-governance-questions.webp" alt="CBSE OnMark portal vulnerabilities raise student data governance questions." style="width:100%;max-width:800px;height:auto;border-radius:8px;display:block;margin:0 auto;" /><figcaption style="text-align:center;font-size:0.85em;color:#888;margin-top:0.5em;">CBSE OnMark portal vulnerabilities raise student data governance questions.</figcaption></figure>
<h2>The Vendor Layer Now Carries the Story</h2>
<p>Public anger has focused on the board because students and schools deal with the board. Operationally, the sharper question sits one layer down. The controversy concerns a <strong>vendor-owned control plane</strong> for national exam evaluation, a place where scanned answer books, examiner logins and marks workflows meet.</p>
<p>Coempt EduTeck Pvt. Ltd., the private company identified in public accounts and by Internet Freedom Foundation (IFF, an Indian digital rights nonprofit) as connected to the OnMark platform, has not been placed at the centre of the official public explanation. That gap is now costly. A system can be procured by a public authority, run by a contractor and hosted through cloud services, but accountability cannot travel in pieces.</p>
<p>The board needs to answer a simple chain-of-custody question. Who had administrative access at each stage, from scanning to upload to marking to post-result access, and which independent auditor tested those controls before students&#8217; records moved through them?</p>
<h2>The OSM Promise Was Administrative Certainty</h2>
<p>CBSE&#8217;s case for On-Screen Marking (OSM, a digital evaluation method in which scanned answer books are marked on a monitor) was built around fewer manual errors. In <a href='https://www.cbse.gov.in/cbsenew/documents/OSM_Class%20XII_09022026.pdf' target='_blank' rel='noopener'>the February OSM circular</a>, the board said Class XII answer books would be evaluated through the system beginning with the current examination cycle, while Class X evaluation would remain physical. It listed expected benefits such as automated coordination, faster evaluation, lower transport costs and elimination of totalling errors.</p>
<p>CBSE later published <a href='https://www.cbse.gov.in/cbsenew/documents/FAQ-OSM_18052026.pdf' target='_blank' rel='noopener'>the board&#8217;s OSM FAQ</a>, which described actual answer books being scanned, quality checks before evaluation, examiner logins, question-wise marks entry and automated totals. That is a strong administrative design on paper. It also creates several points where a weak access rule, misconfigured storage path or poor logging practice can become a national trust problem.</p>
<table>
<thead>
<tr>
<th>Layer</th>
<th>CBSE&#8217;s Stated Design</th>
<th>Current Question</th>
<th>Proof Needed</th>
</tr>
</thead>
<tbody>
<tr>
<td>Scanning</td>
<td>Answer books are scanned without cutting the spine and checked for clarity.</td>
<td>Were scans complete, linked to the right barcode and protected from public access?</td>
<td>Sample audit of scans, barcode matches and storage permissions.</td>
</tr>
<tr>
<td>Evaluator Login</td>
<td>Examiners log in digitally using credentials linked to school data.</td>
<td>Could authentication flaws allow account takeover or impersonation?</td>
<td>Authentication audit, password-reset logs and failed-login analysis.</td>
</tr>
<tr>
<td>Marks Entry</td>
<td>Marks are entered question-wise and totaled by the system.</td>
<td>Could a non-authorized user view or alter marks after submission?</td>
<td>Immutable mark-change logs and role-based access review.</td>
</tr>
<tr>
<td>Post-Result Access</td>
<td>Students can obtain scanned copies through designated channels.</td>
<td>Were answer sheets and student records accessible outside approved channels?</td>
<td>Download logs, exposed-object review and student notification criteria.</td>
</tr>
</tbody>
</table>
<h2>Data Exposure Allegations Shift the Legal Question</h2>
<p>Adhikary&#8217;s latest claims, as described in public posts and reporting, go beyond examiner accounts. He alleged that scanned answer sheets and question papers were reachable through a misconfigured cloud storage path. He also raised concerns about sensitive student information moving through third-party tools. Those claims still need official forensic confirmation.</p>
<p>If confirmed, the issue would no longer be only whether marks could be changed. It would become a student data case. Answer sheets carry handwriting, roll-linked academic performance and sometimes personally identifying metadata. For minors and school-leavers, that is a long-lived record, not a disposable exam file.</p>
<p>The Digital Personal Data Protection Act (DPDP Act, India&#8217;s privacy law for digital personal data) is also arriving on a staggered timetable. The <a href='https://www.indiacode.nic.in/bitstream/123456789/22037/2/a2023-22.pdf' target='_blank' rel='noopener'>India Code text of the DPDP Act</a> shows definitions and Data Protection Board provisions already on one clock, while many core data-processing duties under sections 3 to 17 are scheduled for later commencement. That timing makes voluntary disclosure and procurement discipline more important, not less.</p>
<p>Even before every privacy-duty provision is in force, India&#8217;s cyber-incident rules create pressure. The <a href='https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf' target='_blank' rel='noopener'>CERT-In incident-reporting FAQ</a> says severe cyber incidents, data breaches and data leaks should be reported within six hours of being noticed or brought to notice, with more information supplied later if needed.</p>
<h2>Responsible Disclosure Became Public Pressure</h2>
<p>The timeline is uncomfortable for any institution that handles high-stakes records. IFF said Adhikary disclosed five vulnerabilities to CERT-In on February 25, then published after what he considered an inadequate response. IFF&#8217;s <a href='https://internetfreedom.in/when-the-exam-itself-can-be-hacked-iff-writes-to-the-ministry-of-education-and-cert-in-on-the-cbse-on-screen-marking-disclosure/' target='_blank' rel='noopener'>digital-rights request for an investigation</a> asked for a review of the board&#8217;s conduct, the vendor contract, remedial steps and public audit disclosure.</p>
<p>Public disclosure should never become the preferred way to get critical systems fixed. Yet the sequence here shows why researchers lose patience when official channels feel opaque. The board thanked ethical hackers after the story had already broken wide. That gratitude will matter more if it is followed by a clear safe-reporting process, response deadlines and a published vulnerability-handling policy.</p>
<ol>
<li>CBSE announced OSM for Class XII evaluation and asked schools to prepare computer labs, connectivity and practice access.</li>
<li>A researcher says he reported authentication and access-control flaws to CERT-In before the system finished its public exam cycle.</li>
<li>Students later raised complaints about scanned copies, post-result access and the re-evaluation process.</li>
<li>The board then said OnMark vulnerabilities had been contained and additional weaknesses were being checked.</li>
</ol>
<p>That sequence does not prove marks were changed. It does show a public authority trying to modernize faster than its disclosure culture appears to have matured.</p>
<h2>The Audit Test CBSE Cannot Skip</h2>
<p>The minimum credible response now is not another assurance that the platform is safe. The board needs a <strong>forensic audit trail</strong> that separates three questions: whether vulnerabilities existed, whether they were exploitable against live data, and whether any unauthorized access or alteration occurred.</p>
<p>A useful public audit does not need to reveal fresh attack paths. It can publish scope, dates, auditor independence, categories of systems reviewed, number of affected accounts if any, and whether student notifications are required. That is how the board can inform without giving a how-to guide to attackers.</p>
<ul>
<li>Publish the date each identified vulnerability was reported, acknowledged, fixed and retested.</li>
<li>Confirm whether live student records, examiner accounts or answer-sheet images were exposed.</li>
<li>Release an executive summary from an auditor not previously tied to the deployment.</li>
<li>State whether the vendor contract includes breach notice duties, indemnity, audit rights and termination triggers.</li>
<li>Create a standing channel for ethical hackers with safe-harbour language and response deadlines.</li>
</ul>
<p>There is a policy lesson here beyond one portal. Schools are being asked to trust more digital records, more cloud workflows and more automated controls. That trust cannot depend on students finding flaws after the system has already handled their futures.</p>
<p>If CBSE publishes a dated, independent audit and shows that no student record was altered or wrongly exposed, the OnMark row can become a painful repair job. If it stops at containment, every future digital exam system in India will inherit the doubt.</p>