The Central Board of Secondary Education’s security system for confidential student information such as answer sheets came under scrutiny on Sunday after a hacker claimed to have accessed key data from the cloud storage.
Nisarga, who identifies himself as an ethical hacker on his X profile, posted 18 copies of scanned answer sheets, exposing weaknesses in the CBSE’s data protection mechanism.
Some of the scanned answer sheets bore folds and drop shadows, suggesting poor scanning — a lapse cited by teachers and school principals as one possible reason for students receiving comparatively poorer marks this year.
“CBSE people didn’t configure their AWS bucket properly and now we can paginate & enumerate all their media which has 2026 answersheets & question papers,” Nisarga’s post said.
“ListObjectsV2 works without any auth and the bucket root is listable too — anyone on the internet can download any scanned booklet — across institutions. Multiple institutions are using the same bucket, insanely insecure.”
An AWS bucket or Amazon S3 (Simple Storage Service) bucket is a public cloud storage resource available on the Amazon Web Services platform. It provides object-based storage, where data is stored in distinct units called objects instead of files.
The CBSE sought to blame the company it had contracted for technological support — the Hyderabad-based COEMPT — and said corrective steps were being taken.
“We have been closely monitoring the vulnerabilities in the OnMark portal of our service provider that are being flagged in the public domain,” the board posted on X.
The post added: “An expert team of cybersecurity professionals has been deployed over the last few days from across various arms of the government as well as the IITs to fortify these systems, including taking them over to a more secure set up.
“The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out. We are grateful to all alert citizens and ethical hackers pointing out such weaknesses, and have gotten in touch with some of them directly.”
Rajeev Kumar, retired IIT Kharagpur computer science professor, said the CBSE’s statement about “monitoring” did not amount to an acceptance of blame. Nor was it enough to address the students’ concerns.
“The CBSE is still hiding the cyber security vulnerabilities in its system. It seems the CBSE leadership does not understand the privacy concerns...,” he said.
Kumar said the board ought to apologise to the Class XII examinees and their parents.
“Answer scripts contain personal data. Their confidentiality must be maintained. Any student should be able to access his or her own data and answer papers, but not the data of other students,” he said.
“What emerges from Nisarga’s post on X is that any student can access any other student’s scripts. The CBSE is one of the largest school boards in the country. Such privacy breach reflects poorly on the technical and academic leadership of the country.”
The controversy comes at a time the CBSE is already in a jam over the on-screen marking system it introduced this year, under which Class XII board examinees’ answer sheets were scanned and transmitted online to examiners who assessed them on computer screens.
With an across-the-board fall in scoring, hundreds of thousands of students have sought and obtained copies of their answer sheets so they can seek a re-evaluation.
At least two students have alleged their answer sheets were swapped with those of others, a lapse the CBSE has acknowledged.
“CBSE’s May 2025 tender required answer sheets to be scanned with automatic robotic scanners, spines preserved, at a minimum of 300 DPI,” Congress leader Rahul Gandhi, who has been tweeting consistently on the controversy, posted on X.
“The tender re-issued in August quietly removed all of it. ‘Scanners’ became generic. Resolution dropped to 200 DPI.
“Now we know what that meant in practice. It has been exposed that COEMPT scanned the answer sheets using mobile phones.
“The blurred copies, the missing pages, the unscanned books - they are not ‘errors.’ They are the predictable outcome of a contract written to fit a vendor.
“This is fraud. And every child whose marks were wrongly evaluated is a victim of it.
“This morning, the Prime Minister had time to speak about mangoes. He has not had time to speak about 18.5 lakh children whose answer sheets were scanned with phones.
“Dharmendra Pradhan ji still sits in office.
“Modi ji’s silence is no longer indifference. It iscomplicity.”
Senior Congress leader Jairam Ramesh posted: “The answer sheets that have emerged also bear folds and drop shadows — which are associated with scans made via mobile phones rather than scanning machines.
“We know that the third RFP (Request for Proposal) dropped the specification for a robotic scanner. The question then is what kind of scanners did COEMPT eventually use? Why are the scans of such poor quality?”
Even the CBSE’s rectification processes have been marred by technical problems. First, the portal through which the students had to apply to obtain copies of their marked answer sheets worked inconsistently.
Second, the portal through which they had to applyfor re-evaluation never began functioning.