CBSE OnMark Fix Leaves Student Data Trust Unsettled

CBSE OnMark portal vulnerabilities have been contained, the Central Board of Secondary Education, India’s national school examination board, said on May 31 after public security concerns over the service provider’s evaluation portal. The board said government cybersecurity teams and Indian Institutes of Technology experts are checking for other exploitable weaknesses.

For students, containment answers only the first question: whether an exposed system was closed. It leaves another, more practical question: how the board proves that marks, scanned answer books and personal data stayed intact while the system was being repaired.

The Admission That Changed the Marking Story

The May 31 statement did two things at once. It acknowledged vulnerabilities in the service provider’s portal and said the fixes had moved beyond monitoring. That puts the issue in a different place from a routine complaint about glitches or delayed access to scanned copies.

The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out.

That sentence came from the board’s statement posted on X. It also said cybersecurity professionals from government bodies and Indian Institutes of Technology (IITs, public technical institutes) had been deployed over recent days to fortify the systems, including shifting them to a more secure set-up.

The wording matters because it narrows the issue. The board is no longer dealing only with angry students and screenshots online. It is now dealing with an official repair process, and repair processes leave audit trails.

How On Screen Marking Works at Exam Scale

On Screen Marking (OSM, digital evaluation of scanned answer books) was introduced for Class XII evaluation this examination cycle. In the February rollout circular for Class XII, the board said it conducts Class X and Class XII exams in India and 26 countries for nearly 46 lakh students, while Class X answer books would remain in physical mode for this cycle.

The process shifts the physical bundle into a screen workflow. According to the board’s On Screen Marking FAQ, actual answer books are scanned, uploaded to an evaluation portal, marked by examiners on computers, totaled by the system and then subject to checks by senior evaluators.

Cyber Rules Make This a Governance Problem

The public claim that a portal weakness existed matters less than a checklist of exploit details. The safer question for any student or parent is simpler: did the owner of the data follow the rules for receiving, validating, fixing and notifying?

India already has a route for vulnerability reports. The Indian Computer Emergency Response Team (CERT-In, India’s national computer emergency response agency) says in the responsible vulnerability disclosure policy that it collects, analyzes and coordinates mitigation with researchers and vendors, and that acknowledgements are sent within 72 working hours.

The Digital Personal Data Protection Act (DPDP, India’s digital personal data law) is the other pressure point. The official DPDP Act text says a data fiduciary remains responsible for processing done on its behalf by a data processor, must take reasonable security safeguards, and must notify the Board and each affected data principal in a personal data breach.

Students Became the Overlooked Stakeholders

The weakest part of an exam-technology story is usually the student. Vendors, portals and politics get names. The individual whose handwriting, roll data, scanned pages and marks move through the system often appears as a count.

That is why student trust is now the main system output. Many Class XII candidates are minors under Indian law. The DPDP Act defines a child as an individual below 18, and it treats parents or lawful guardians as data principals for children.

• Access logs showing who opened scanned scripts and when.
• Integrity checks matching each scanned answer book to the right barcode, roll record and subject.
• Evidence that storage permissions and portal accounts were reviewed after the public reports.
• A clear answer on whether any student or parent needs to take action under the post-result process.

None of those items requires publishing sensitive security details. In fact, a responsible post-incident note should avoid giving attackers a map. But it can still tell families what categories of records were checked, whether any affected records were found, and how corrections will be handled.

The board has asked ethical hackers and citizens to send inputs to secy-cbse@nic.in. That invitation is useful only if the people sending reports know that their submissions will be triaged, acknowledged and closed without turning a student record into public evidence.

The Service Provider Gap Is Now Public

The May 31 statement used a careful phrase: the OnMark portal of its service provider. That wording puts the hardest operational question outside the classroom. A national exam body can outsource software and scanning work, but it cannot outsource public accountability for the answer books moving through that work.

Official government guidance points in that direction. In CERT-In’s information security practices for government entities, senior management is told to assign security roles, conduct internal audits at least once in six months, run external audits at least once a year and use the audit outcome to deploy controls.

Coempt Edu Teck Pvt Ltd, a Hyderabad-based education technology company, says on its examination solutions page that Onmark supports cloud-based exam marking with integrity, speed and analytics. That is a product claim. The public question after the board’s statement is whether the contract, audits and incident review show the same standard in operation.

Evidence Is the Board’s Next Test

The next credible step should be a plain account of scope, not a longer assurance: systems reviewed, period checked, classes of records examined and result of the review. Students do not need exploit code. They need confidence that the marks attached to their roll numbers are theirs.

A post-incident account also needs to separate three questions that have been allowed to blur together. One is cybersecurity, meaning whether an outsider could reach or change data. Another is evaluation integrity, meaning whether scans, marks and subjects remained correctly linked. The third is redress, meaning what happens when a student finds a mismatch.

The board already has official post-result facilities for scanned copies, verification and subsequent processes through its Class XII post-result notice. The cyber repair now has to meet that calendar without rushing students into decisions before they know whether the portal review found anything relevant to their records.

If the review ends with a clear public account and affected students are contacted directly, the system can recover some trust before the next exam cycle. If the answer remains only that weaknesses were contained, every mark-sheet dispute will carry a cybersecurity shadow.