CBSE ignored all the red flags. Now students are paying the price

In an ecosystem where one mark separates a seat at an IIT from a year's wait, the margin for error is zero

In our country, nearly 46 lakh students were given a masterclass this year — not in physics or mathematics, but in what happens when an institution mistakes ambition for readiness. When the Central Board of Secondary Education declared Class 12 results on May 13, its newly launched On-Screen Marking system (OSM) didn’t just malfunction. It unravelled, publicly and painfully, taking with it something far harder to restore than software: Institutional trust.

OSM was, in concept, a sound idea. Physical answer sheets would be scanned, uploaded to a secure portal, and assessed by teachers remotely, thus cutting travel costs, eliminating totalling errors, and accelerating results. The board’s ambition was real. So was its failure to match that ambition with the preparedness it demanded. What followed the May 13 declaration was a cascade of failures.

Students reported blurred scans rendering handwriting illegible, missing supplementary pages leaving entire answers unmarked, page-level scores that didn’t add up, and, most jaw-dropping, answer sheets that belonged to someone else entirely. Some students who had cleared JEE Mains, one of the country’s most competitive engineering entrance tests, failed their own board examinations. The re-evaluation portal, when finally opened, crashed repeatedly. For a generation that had studied for years toward a result, this was not a technical glitch. It was a betrayal.

The more troubling revelation is that none of this was unforeseeable. Teachers who took part in pre-rollout dry runs told the media the system needed at least another year. The Delhi Government School Teachers’ Association formally urged the board to pause implementation, warning that rolling out a fully digital evaluation framework without structured training posed “significant practical challenges”. Most examiners, the association stated, had not received certified preparation. These were not outsiders raising alarms. They were the board’s own frontline evaluators, speaking from inside the very test exercises CBSE had commissioned to stress the system. Leadership heard them — and proceeded anyway.

The procurement story compounds the concern. The OSM contract went to Hyderabad-based Coempt Edu Teck, which edged out TCS as the lowest financial bidder on December 5, 2025, leaving just 66 days before the full national rollout on February 9, 2026. Selecting the cheapest vendor on a deadline that precluded meaningful stress-testing, for a system touching millions of students, is not cost-efficiency but institutional recklessness. What makes it more sobering is that OSM was not new. It had been piloted for Class 9 assessments during Covid, then quietly shelved after glitches. That history went unlearnt.

Then came the students, and in a development that should embarrass every senior official who waved away the warnings, teenagers did what the institution could not. On February 25, Nisarga Adhikary, a 19-year-old who had just written his Class 12 boards, accessed the OSM portal and found multiple security vulnerabilities. He reported his findings to CERT-In, India’s nodal cybersecurity body, but was ignored. Three months later, with results out and student grievances flooding social media, Adhikary published a detailed blog post on May 22, laying bare what he had found. He went further, alleging that an Amazon Web Services cloud storage bucket housing the 2026 examination records with scanned answer booklets included was openly accessible online, without a password, without authentication, without any gate whatsoever. Shortly after, 18-year-old Sarthak Sidhant published his own analysis, alleging that CBSE had retroactively rewritten its bidding criteria in ways that steered the contract toward Coempt Edu Teck.

The institutional response was initially defensive. CBSE insisted no breaches had hit the live evaluation portal, arguing the URL Adhikary cited was a test environment. Adhikary shot back that CBSE’s own clarification post was directing users to his blog. Meanwhile, a separate cyberattack on the re-evaluation portal sent fee displays swinging from one rupee to Rs 68,000 for around 50 students. Faced with mounting evidence, the board acknowledged vulnerabilities and brought in experts from IIT Madras, IIT Kanpur, and the Digital Infrastructure Corporation of India. By June 2, the board’s top two officials had been transferred, and the Centre ordered a formal inquiry into the tendering, the cybersecurity posture, and the conduct of the rollout.

The CBSE episode reflects a broader failure in how India’s public institutions approach digital transformation. Technology deployed at a national scale, especially one that is holding the futures of millions, must be engineered across three non-negotiable dimensions: Capacity, scalability, and cybersecurity. A portal that buckles under routine traffic is not a digital system but a mere paper system with a login page. A cloud repository that a teenager can browse unauthenticated is not a secure infrastructure; it is negligence with a server address.

The cybersecurity lapse is particularly grave. Adhikary did everything right: He found the flaw, he reported it through legitimate channels, and he waited months before going public. CERT-In did not patch the vulnerabilities in time. The question that demands an answer is not merely why the portal was insecure, but why a responsible disclosure from a young researcher was treated as an inconvenience rather than a service. Public institutions must build clear, responsive channels for ethical hackers and the culture to take them seriously.

Trust in digital systems is not a given. It is earned, maintained, and catastrophically easy to lose. For the students who opened their results to find a stranger’s answer sheet, no audit will fully repair what was broken. Rebuilding public confidence demands a structural commitment — independent penetration testing before any large-scale rollout, mandatory adherence to CERT-In cybersecurity frameworks, procurement decisions that weigh capability over cost, and a governing culture that treats internal warnings as intelligence rather than interference.

In an ecosystem where one mark separates a seat at an IIT from a year’s wait, the margin for error is not slim. It is zero. CBSE’s OSM crisis is a lesson written at the cost of its students. The least the system owes them is not to repeat it.

The writer is a defence and tech policy adviser and author of The Digital Decades: On 30 Years of the Internet in India