IIT Panels Reveal Critical Security Flaws in CBSE Examination Marking System, Prompting Federal Oversight and Data Migration

In a development that intertwines technological vigilance with the sanctity of India’s public examinations, a joint expert panel comprising senior researchers from the Indian Institutes of Technology, Kanpur and Madras, reported that artificial‑intelligence tools, notably the language model Claude, were employed to systematically probe the Central Board of Secondary Education’s On‑Screen Marking (OSM) platform, thereby uncovering a constellation of vulnerabilities that, if left unremedied, could have compromised the confidentiality and integrity of scores for millions of adolescent candidates across the nation.

The OSM system, introduced as a digital substitute for paper‑based assessment verification, operates as a web‑based interface through which examiners input and validate marks, while simultaneously transmitting data to centralized repositories; the panel’s forensic analysis demonstrated that authentication mechanisms were circumventable, that session tokens could be intercepted and repurposed, and that the underlying API endpoints permitted injection of malformed requests, all of which collectively threaten the inviolability of the adjudication process and risk eroding public confidence in scholastic credentialing.

Central to the critique was the performance of the contracted vendor, Coempt Eduteck, whose obligations encompassed the design, deployment, and maintenance of the OSM infrastructure; investigators highlighted that the vendor’s code‑review practices appeared insufficient, that patch cycles lagged behind identified threats, and that documentation of security controls was either outdated or wholly absent, thereby raising serious questions regarding the prudence of awarding a critical education‑technology contract without demonstrable adherence to established cybersecurity standards.

In response to the panel’s findings, the Ministry of Electronics and Information Technology, together with the Indian Computer Emergency Response Team, initiated a series of emergency audits, mandated immediate remedial actions, and authorised the migration of all examination data to a sovereign cloud environment hosted on Amazon Web Services’ India region, a move intended to restore resilience through the application of vetted encryption protocols and to assert governmental control over the custodianship of sensitive academic records.

This cascade of events unfolds against a backdrop of mounting unease concerning the digital transformation of India’s education system, wherein disparities in access to reliable internet, hardware, and technical support disproportionately affect students from economically marginalised communities, thereby amplifying the stakes of any breach in examination security, as a compromised result may translate into lost opportunities for higher‑education admission and subsequent socioeconomic mobility.

While official statements have lauded the prompt identification of flaws as evidence of a robust oversight apparatus, the chronicle of delayed vendor compliance, opaque procurement decisions, and the reliance on external cloud services to rectify internal deficiencies invites a measured critique of institutional accountability, suggesting that the celebrated narrative of seamless modernization may, in fact, conceal systemic inertia and an overreliance on market solutions to address intrinsically governmental responsibilities.

Consequently, one must inquire whether the existing legislative framework governing public‑sector procurement possesses adequate safeguards to compel vendors to demonstrate verifiable cybersecurity competence prior to contract award, whether the mechanisms for independent audit of critical education‑technology platforms are sufficiently empowered to enforce remedial timelines without political interference, and whether the statutory obligations of the Ministry of Education and the Ministry of Electronics and Information Technology include explicit provisions for redress should an exploitation of the identified vulnerabilities result in demonstrable harm to students, thereby obligating the state to provide compensation or remedial educational opportunities.

Further contemplation is warranted regarding the adequacy of data‑sovereignty statutes in obligating the relocation of sensitive academic information to domestically controlled cloud infrastructures, the extent to which existing privacy legislation mandates transparent notification to affected candidates and their families in the event of a breach, and the degree to which civil‑society organisations are empowered to hold both the Board and its external contractors legally answerable for any failure to implement recommended security enhancements, especially when such failures intersect with the fundamental right to equitable access to public education and the preservation of merit‑based assessment.

Published: June 4, 2026