After public posts by ethical hackers exposed vulnerabilities in the Central Board of Secondary Education’s On-Screen Marking platform OnMark, the board on Sunday (May 31, 2026) stated that the identified vulnerabilities “have been contained and other exploitable weaknesses are being ruled out”. As per the official statement, an expert team of cybersecurity professionals has been deployed from across various arms of the government as well as the IITs to fortify CBSE’s systems.The CBSE said it was “grateful” to alert citizens for pointing out “such weaknesses”. The citizens being two teenagers who explored the vulnerabilities in the CBSE’s systems. Sarthak Sidhant, a 17-year-old Class 12 student from Jharkhand, published an investigative blog ‘How CBSE rewrote rules to favour Coempt EduTeck’, which probed the dilution of the tender for an allegedly favourable vendor for OSM evaluation. Another, 19-year-old, Nisarga Adhikary, an ethical hacker who claims to have hacked into the OSM portal, and was able to read, write and edit answer sheets.Mr. Adhikary claimed that he had hacked the CBSE’s digital evaluation ecosystem. He explained that personal information of students was processed by Google’s Gemini in automation scripts prepared by quality assurance engineers of COEMPT. After the results were declared, many Class 12 students alleged scoring discrepancies and also claimed that the scanned copies of their answer sheets uploaded by the Board did not match their handwriting, taking to social media to raise concerns over a possible mix-up in the OSM system.John Xavier of The Hindu, who interviewed both Mr. Sidhant and Mr. Adhikary, talks to us about key takeaways from their conversation.What do you think of what Mr. Sidhant and Mr. Adhikary saying?Nisarg and Sarthak were investigating two different aspects of the CBSE system. Nisarg’s focus is on how the digital infrastructure is built, managed and run. He notes that when he hacked into the OSM portal, he was able to read, write and edit documents (answer sheets).Sarthak’s probe was focused on the dilution of the tender to suit a particular vendor. He mentions about 15 points to show how this process was tweaked to favour Coempt. Were you surprised by what they said at how robust or not robust the systems are?I was surprised by Nisarga’s finding that he spotted traces of Gemini API in the CBSE portal. He claims that personally identifiable data of students was being shared with an AI model that has its server outside India. This is a clear data sovereignty issue. What is your take on how things can be made better?Creating an audit cum review based system is a definite must. Perhaps, a reputed professional firm, like KPMG, Deloitte or EY, must be allowed to do an independent audit of CBSE’s digital systems. Secondly, students must be made aware of the changes well in advance. And large scale changes should be made only after running several pilots in different regions in the country. Do you think the CBSE portal internal architecture is typical of govt tech operations affecting people?I can’t comment on this as I’m not aware of whether CBSE’s portal is similar to other government sites. But, one thing is clear, CBSE must have far greater security safeguards in place as it handles sensitive data of lakhs of Indian students. Published - June 01, 2026 03:36 pm IST