A major cybersecurity controversy has emerged around the Central Board of Secondary Education (CBSE) after ethical hacker Nisarga Adhikary claimed to have discovered serious vulnerabilities in the board’s On-Screen Marking (OSM) and related digital systems. According to the claims, personal information belonging to approximately 4.5 lakh students, including phone numbers and email addresses, may have been exposed due to security weaknesses.
The vulnerabilities were reportedly identified during the February 2026 board examination period. Adhikary alleged that the flaws included hardcoded master passwords, OTP authentication bypasses, examiner impersonation capabilities, and unauthorized access to student and teacher records. He also claimed that misconfigured cloud storage repositories exposed scanned answer sheets and examination-related documents.
According to the ethical hacker, the weaknesses could potentially allow unauthorized users to view sensitive records, access examiner information, and in extreme scenarios manipulate academic data. The findings were reportedly disclosed responsibly to CERT-In and CBSE for remediation.
CBSE initially maintained that the accessed systems were testing environments containing sample data rather than live student information. However, the board later acknowledged vulnerabilities within the OSM ecosystem managed by a third-party technology provider and initiated corrective measures with the assistance of cybersecurity specialists.
The incident has raised questions about vendor governance and security oversight. The dependence on third-party service providers highlights the importance of rigorous security audits, compliance checks, and continuous monitoring of critical education infrastructure.
Cybersecurity experts point to cloud misconfigurations as one of the most common causes of large-scale data exposures. Publicly accessible storage repositories can inadvertently expose confidential information if proper access controls are not implemented and regularly reviewed.
The alleged presence of hardcoded credentials and weak authentication mechanisms further underscores the need for secure software development practices. Security-by-design, regular penetration testing, and vulnerability assessments are essential for systems handling sensitive educational records.
The potential consequences extend beyond technical concerns. Exposure of student contact information could lead to phishing attacks, spam campaigns, identity theft attempts, and targeted social engineering against students, parents, and educators.
The controversy also raises concerns about academic integrity. Any perception that examination systems can be manipulated may undermine trust in one of India's largest educational institutions, affecting students, parents, universities, and policymakers alike.
The incident serves as a reminder that as educational systems become increasingly digital, cybersecurity must be treated as a foundational requirement rather than an afterthought. Strengthening data protection, vendor accountability, cloud security, and incident response capabilities will be essential to maintaining trust in India's rapidly expanding education technology ecosystem.
Lesson To Learn From CBSE Data Breach :
| Area | Observation | Potential Impact | Recommended Action |
|---|---|---|---|
| Data Exposure | Student emails and phone numbers allegedly exposed | Privacy risks, phishing attacks | Data encryption and access controls |
| Authentication | Hardcoded passwords and OTP bypass claims | Unauthorized access | Strong MFA and credential management |
| Cloud Security | Misconfigured storage repositories | Public exposure of sensitive documents | Continuous cloud security monitoring |
| Third-Party Vendor Risk | Dependence on external technology provider | Supply chain vulnerabilities | Vendor audits and compliance reviews |
| Academic Integrity | Potential access to examination systems | Loss of trust in evaluation process | Independent security assessment |
| Regulatory Compliance | Possible data protection concerns | Legal and regulatory scrutiny | Compliance reviews and reporting |
| Reputation | Public controversy and media attention | Erosion of stakeholder confidence | Transparent communication strategy |
| Student Safety | Exposure of personal information | Social engineering and fraud risks | Awareness and monitoring programs |
| Operational Security | Weak security controls identified | Increased attack surface | Security-by-design implementation |
| Future Readiness | Growing dependence on digital platforms | Systemic cybersecurity challenges | Continuous risk management framework |
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
