CBSE’s official press release can be accessed here.
The Central Board of Secondary Education (CBSE) has filed a formal complaint with Delhi Police over a 3.8 million-packet cyberattack on its Class 12 re-evaluation portal, the latest turn in a crisis that began when the board moved evaluation to a fully digital system this year. CBSE says its databases stayed secure. Days earlier, it had acknowledged security flaws in the same system, more than three months after a researcher first reported them and a week after he publicly demonstrated full access to its servers.
The crisis now spans low results, demonstrated security flaws, a whistleblower’s tender-rigging allegations, and two senior officials transferred. Here is how it unfolded.
- February 12, 2026: OSM introduced. CBSE announced that Class 12 answer scripts would be scanned and evaluated digitally under On-Screen Marking (OSM), with teachers grading remotely, to cut totalling errors and speed up results. At the same time, it discontinued post-result verification of marks for Class 12. Class 10 evaluation remained paper-based.
- February to April 2026: exams held. CBSE conducted the Class 12 board exams from February 17 to April 10, with nearly 18 lakh students registered for the cycle. All answer sheets were evaluated under OSM for the first time.
- Late February 2026: vulnerabilities flagged to CERT-In. Cybersecurity researcher Nisarga Adhikary, who had just completed Class 12, reported security vulnerabilities in the OSM portal to the Indian Computer Emergency Response Team (CERT-In) shortly after February 25. He said he received a templated acknowledgement and never heard back despite follow-ups.
- March 16, 2026: teachers warned. In a circular, CBSE warned Class 10 and 12 evaluators of legal action for sharing “misleading” information about the marking process on social media, calling the evaluation confidential. Several concerns raised by teachers later proved to be well-founded.
- May 13, 2026: results disappoint. CBSE declared the Class 12 results with an overall pass percentage of 85.20%, down over three points from 88.39% in 2025. Students reported unexpectedly low marks, blurred scans, and unmarked answers. One student, Vedant Shrivastava, said the Physics answer sheet CBSE uploaded for him was not his at all, and the board sent the correct one only after his post went viral. More than 1.63 lakh students were placed in the compartment category.
- May 22, 2026: vulnerabilities go public. Adhikary published a blog detailing security flaws in the OSM portal after CERT-In failed to act on issues he had flagged months earlier. Among them were a master password stored in plain text in the site’s code, login verification that ran in the user’s browser rather than on CBSE’s servers, internal pages accessible without authentication, and a flaw that allowed anyone to reset an examiner’s password without knowing the existing one. Together, he said, these flaws enabled a capable outsider to impersonate any examiner and alter students’ marks.
- May 26 to 27, 2026: CBSE denies a breach. CBSE said the affected URL belonged to a testing site containing sample data and that the actual evaluation portal had never been compromised. Independent researchers disputed this. One noted that CBSE cited the wrong domain name in its denial, while another said he had independently verified that the master password flagged by Adhikary had existed since January 2026.
- May 30 to 31, 2026: researcher demonstrates access. Adhikary demonstrated that he had gained full create, read, update, and delete (CRUD) access, along with shell access to CBSE’s production servers and super-admin access to a subdomain. On May 31, he flagged an additional vulnerability that he said exposed a large volume of personally identifiable information (PII).
- June 1, 2026: CBSE acknowledges flaws. Having denied a breach days earlier, CBSE acknowledged the vulnerabilities in the OnMark system, said it had deployed cybersecurity experts from across government and the Indian Institutes of Technology (IITs), and thanked the researchers who had flagged the issues.
- June 2, 2026: whistleblower testifies. Sarthak Sidhant, a 17-year-old Class 12 student from Jharkhand, appeared before the Parliamentary Standing Committee on Education and alleged CBSE “rewrote rules” in its OSM tenders to favour a specific vendor, Coempt Edutech. Working with an ethical hacker, he flagged 15 discrepancies in tender documents published on the Central Public Procurement portal, alleging that clauses related to poor performance, blacklisting, and financial eligibility had been altered across successive tenders.
- June 2, 2026: officials transferred, inquiry ordered. The Centre transferred CBSE Chairman Rahul Singh and Secretary Himanshu Gupta and constituted an inquiry committee to examine the OSM procurement process.
- June 2, 2026: re-evaluation portal launched. CBSE opened a portal for verification and re-evaluation, a remedy it had earlier discontinued, after postponing the launch from May 29 and June 1 to conduct emergency security-hardening exercises, including penetration testing and vulnerability assessments. The portal recorded nearly 1.5 million access requests within its first two minutes and supported more than 8,000 concurrent users.
- June 2-3, 2026: Cyberattacks. CBSE said the portal blocked more than 100,000 unauthorised access attempts within minutes of going live and faced a 3.8 million-packet attack on June 3 that resembled a Distributed Denial-of-Service (DDoS) attack. The IIT Madras team brought in by CBSE was more cautious; its director said the activity might have been a cyberattack but that log analysis would be required to confirm it. CBSE also rebutted social media claims of a data breach, saying the leaked URL pointed to an internal testing environment containing no real student data.
- June 5, 2026: complaint filed. CBSE lodged the complaint with the Intelligence Fusion and Strategic Operations (IFSO) unit of Delhi Police, attributing the attacks to “elements inimical to national interest.” By June 4, the board had received 70,433 applications, including 63,119 for re-evaluation and 7,314 for verification of marks.
Why this matters: : CBSE moved Class 12 evaluation onto a private vendor’s platform, meaning the scanned answer sheets and personal data of nearly 18 lakh students were stored on a single online system. A teenage cybersecurity researcher later demonstrated that the system was vulnerable, gaining full access to CBSE’s live servers.
The board’s handling of the issue compounded the concerns at each stage. It left the vulnerabilities unaddressed for more than three months after they were first reported, denied that any breach had occurred, later acknowledged that the flaws were real, and then, following a fresh attack on its re-evaluation portal, continued to insist that student data had remained secure throughout. The story is not simply about a dramatic hack; it is about a public institution that appears to have treated the security of student data as an afterthought in a digital transformation it rushed to implement.
Also read:
