CBSE Orders Action Against OSM Contractor After Answer Sheet Portal Security Lapses
The Central Board of Secondary Education (CBSE) is preparing to impose penalties on its On-Screen Marking (OSM) service provider, Coempt Edu Teck, after vulnerabilities were discovered in the online system used for evaluating Class 12 answer sheets. The move follows public disclosures on social media that raised concerns about the security of answer scripts and student-related data stored on the platform.
AI-generated summary, reviewed by editors
Officials familiar with the matter said the Hyderabad-based company could face financial penalties under the provisions of the contract awarded to it in December 2025. The board has also confirmed that identified weaknesses in the system have now been addressed.
Ethical Hacker's Post Triggers Security Concerns
The controversy erupted after 19-year-old ethical hacker Nisarga Adhikary alleged on X that answer sheets and examination-related files were accessible through an improperly configured Amazon Web Services (AWS) storage bucket.
In his post, Adhikary claimed, "CBSE people didn't configure their AWS bucket properly and now we can paginate & enumerate all their media which has 2026 answer sheets & question papers," while sharing screenshots that appeared to show answer copies.
According to Adhikary, the issue stemmed from the cloud storage bucket's root directory being openly accessible.
"The bucket root was publicly listable, meaning anyone on the internet could see the complete list of files and folders stored inside," added Adhikary.
The allegations quickly drew attention online and prompted a response from CBSE.
CBSE Says Vulnerabilities Have Been Fixed
Several hours after the claims surfaced, CBSE acknowledged that concerns related to the OSM portal were being monitored.
The board stated that cybersecurity specialists from different government agencies and Indian Institutes of Technology (IITs) had been engaged to strengthen the platform's security framework.
"An expert team of cybersecurity professionals has been deployed over the last few days from across various arms of the government as well as the IITs to fortify these systems, including taking them over to a more secure set up. The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out," CBSE said.
While CBSE did not publicly disclose the name of the vendor involved, officials confirmed that corrective action had been taken and that the contractor would face penalties.
One official, speaking on condition of anonymity, said, "The vulnerabilities identified by the board shows that the there was a data breach related to students data. In the tender rules, there are exhaustive provisions for imposition of penalty on the company if it is established that there were shortcomings within the ambit of scope of work. It is obvious that penalties will be imposed due to various issues, which we identified and now resolved."
Another official stressed that answer booklets themselves had not been leaked.
"Our record is saying that the answer book has not leaked. The data is secure now and we have fixed and patched all the vulnerabilities. There is no vulnerability in the system now. We will compile data for all the issues in OSM including vulnerabilities in the portal and impose penalties in line with the tender rules and guidelines," the official said.
Tender Rules Allow Heavy Financial Penalties
The contract governing the OSM project includes strict Service Level Agreements (SLAs), introduced through a tender issued on August 28, 2025.
The agreement categorises lapses into "critical mistakes" and "other mistakes." Critical mistakes include information leaks, security failures and major errors in scanning answer scripts. Other mistakes cover issues such as data security breaches, missing pages during scanning and inconsistencies in information shared with CBSE.
Under the terms of the contract, the vendor can be fined ₹1 lakh for every 15-minute delay in addressing a reported issue beyond the deadline prescribed by CBSE. Delays in submitting root-cause analyses and corrective action plans can also attract penalties of ₹1 lakh for every hour of delay.
Additionally, the agreement prescribes a ₹5,000 penalty for every hour's delay in providing support services, training materials, user manuals and operational assistance required by the board.
The countdown for these penalties begins once a CBSE official files a complaint through the designated helpdesk or sends an escalation email.
Blacklisting Provision Removed Before Contract Award
While the original August 2025 tender granted CBSE the authority to blacklist vendors for serious violations, that provision was removed before the contract was finalised.
The initial tender stated that a committee could issue show-cause notices leading to forfeiture of performance bank guarantees, blacklisting and termination of contracts. However, a corrigendum issued on September 20, 2025, removed blacklisting from the list of possible actions.
The same change was made to another clause dealing with repeated violations categorised as "Other Mistakes." Following the amendment, CBSE retained the power to forfeit security deposits and terminate contracts, but no longer had the option to blacklist vendors.
Coempt Edu Teck, which secured the contract on December 5, 2025, did not respond to requests for comment on the matter.
As CBSE reviews the full extent of the issues discovered in the OSM system, officials say penalties will be calculated in accordance with the contract's provisions while the board continues to monitor the security of its examination infrastructure.
Click it and Unblock the Notifications
Sign in with Google