By Konika Gayen Keshervani| 2 June, 2026 | 7 Minutes Read
In May 2026, over 17 lakh Class 12 students across India received their board examination results — and for thousands of them, something was deeply wrong. Marks were lower than expected. Answer sheets bore someone else’s writing. Pages were missing. Scans were blurred beyond legibility.
But behind the chaos of results day lay a far more alarming discovery — one that strikes at the heart of every student’s right to privacy and data protection in digital India.
An ethical hacker had found that CBSE’s cloud storage — containing scanned answer sheets and question papers of millions of students — was sitting completely open on the internet. No login. No password. No protection. Anyone who knew where to look could download them freely.
This is the CBSE Cloud Data Breach of 2026. And if you are a student, a parent, or a citizen of India, you need to understand exactly what happened — and what your legal rights are.
What Is OSM and What Went Wrong?
CBSE’s Digital Leap — On-Screen Marking
For the 2026 Class 12 board examinations, CBSE introduced On-Screen Marking — commonly referred to as OSM — at a national scale for the first time. The system was designed to modernise the evaluation process: instead of physically transporting answer booklets to examiners’ homes, they would be scanned at examination centres, uploaded to a digital portal called OnMark, and evaluated online by teachers sitting anywhere in the country.
On paper, it sounded like progress. In practice, it was a disaster.
Reports from students, teachers, and school principals painted a grim picture of the rollout:
Answer booklets were scanned with folds and drop shadows, making evaluator assessment nearly impossible
Some students’ answer sheets were evaluated by examiners who received the wrong booklets
Entire pages disappeared from scanned copies submitted for evaluation
The OnMark portal crashed repeatedly during the evaluation period
Teachers who participated in pre-rollout exercises said the system needed at least another year of preparation
The consequence was stark: India’s national Class 12 pass percentage fell to 85.20% — the lowest in seven years. Over 17 lakh students were affected.https://timesofindia.indiatimes.com/education/news/cbse-class-12th-result-2026-why-students-scored-lower-this-year-as-pass-percentage-falls-by-3-19/articleshow/131063533.cms
The Security Breach: An Open Cloud Bucket
While the evaluation failures were serious enough, the cybersecurity dimension of this story was even more alarming.
Nisarga Adhikary, a 19-year-old who identifies himself as an ethical hacker, posted findings on X (formerly Twitter) that sent shockwaves through India’s education and technology communities. He alleged that CBSE’s answer sheets and question papers — stored on an Amazon Web Services (AWS) Simple Storage Service (S3) bucket — were completely publicly accessible.
📌 AWS S3 is a cloud storage resource used by institutions worldwide to store large volumes of digital data. It works like an online filing cabinet. When configured correctly, it requires authentication — a login or access key — before anyone can view or download its contents. When misconfigured, it becomes an open, publicly readable folder on the internet.
According to Nisarga, CBSE’s cloud bucket was misconfigured in precisely this way. The AWS feature called ListObjectsV2 — which lists all files stored in a bucket — was accessible without any authentication. This meant anyone with basic technical knowledge could not only see a list of every file but download any scanned answer booklet stored within it — across multiple institutions that were using the same shared bucket.
In his own words: the bucket was “insanely insecure.”
CBSE responded by posting on X that it was “closely monitoring the vulnerabilities in the OnMark portal” of its service provider — and that corrective steps were being taken.
Scroll Down for reading the complete article
Who Is Responsible?
The Vendor: Coempt EduTeck
When the controversy broke publicly, CBSE’s institutional response was to direct attention toward its technology vendor — Hyderabad-based Coempt EduTeck (formerly Globarena Technologies), which had built and operated the OnMark digital evaluation platform.
This deflection, however, does not hold up against legal scrutiny. As we will explain in the rights section below, an institution cannot outsource its legal liability by outsourcing its services. CBSE — as the examining body with which every student has a statutory relationship — remains the responsible party for data protection failures.
What makes the vendor selection itself troubling is its history. Coempt EduTeck had been previously linked to examination system failures in Telangana — in 2019 and again in 2023 —both of which resulted in judicial intervention and significant student distress. This history was publicly available at the time of contracting.
The Tender Controversy
A 17-year-old student from Jharkhand named Sarthak Sidhant — who first drew public attention to this issue — went further than most. He spent days cross-referencing official CBSE bidding documents available on India’s public procurement portal and alleged that the eligibility criteria in the Request for Proposal (RFP) were progressively diluted across three successive rounds — in a manner that appeared to favour Coempt EduTeck’s profile.
The contract was awarded on December 5, 2025 — just 66 days before CBSE announced a full nationwide OSM rollout on February 9, 2026.
CBSE has stated that all General Financial Rules were followed. Coempt EduTeck denies wrongdoing. But the questions raised — about due diligence, timeline, and procurement integrity — are legitimate and demand independent answers
Your Legal Rights as a Student and Citizen
This is the most important section of this article. Because beyond the news cycle and political statements, there is a framework of law that protects you — and that CBSE and its vendors are legally required to comply with.
1. Right to Privacy — Article 21 of the Constitution
The Supreme Court of India, in the landmark nine-judge bench decision in K.S. Puttaswamy v. Union of India (2017), unanimously held that the Right to Privacy is a Fundamental Right under Article 21 of the Constitution — the right to life and personal liberty.
⚖️ K.S. Puttaswamy v. Union of India (2017) — 9-Judge Constitution Bench: Privacy is a constitutionally protected right as an intrinsic part of the right to life and personal liberty under Article 21. Any invasion of privacy must satisfy the tests of legality, legitimate aim, and proportionality.
Your answer sheet contains your handwriting, your roll number, your examination responses — personal data that identifies you. When a government body like CBSE fails to protect that data through elementary security measures, it is not merely a technical failure. It is a potential violation of your Fundamental Right to Privacy.
2. Digital Personal Data Protection Act, 2023
India’s DPDP Act 2023 — the country’s first comprehensive data protection legislation — creates binding legal obligations for entities that collect and process personal data.
⚖️ DPDP Act 2023 — Key Provisions
Section 8: Every Data Fiduciary must implement appropriate technical and organisational measures to ensure the security of personal data and prevent data breaches.
Section 13: Every Data Principal (the individual whose data is processed) has the right to obtain information about the personal data being processed about them.
Section 14: Data Principals have the right to grievance redressal.
Under this law, CBSE qualifies as a Data Fiduciary — an entity that determines the purpose and means of processing personal data. Students are Data Principals. The Act places a non-delegable obligation on CBSE to implement reasonable security safeguards.
An open, unauthenticated AWS bucket storing examination data of millions of students is a direct failure of this obligation. The fact that a vendor was responsible for the infrastructure does not discharge CBSE’s liability as the Data Fiduciary.
3. Right to Information — RTI Act, 2005
Every Indian citizen has the right to file an application under the RTI Act and demand information from a public authority. CBSE is a public authority under the Act.
Affected students and parents can file RTI applications asking:
What security audit was conducted before the OSM system was deployed nationally?
How many students’ data was potentially exposed, and for what period of time?
What were the technical eligibility criteria in the original RFP, and how were they changed across rounds?
What corrective cybersecurity measures have been taken since the breach was discovered?
Has CBSE filed a complaint with CERT-In regarding this breach?
📌 You can file an RTI online at rtionline.gov.in. The fee is ₹10, payable online. CBSE must respond within 30 days.
4. Complaint to CERT-In
The Indian Computer Emergency Response Team (CERT-In), functioning under the Ministry of Electronics and Information Technology, is India’s nodal agency for cybersecurity incidents. Under the Information Technology Act, 2000 and subsequent CERT-In rules, cybersecurity breaches involving sensitive personal data are reportable incidents.
Students, parents, and civil society organisations can lodge a complaint directly with CERT-In at cert-in.org.in, drawing their attention to the open cloud bucket and demanding accountability from both CBSE and Coempt EduTeck.
5. Approaching the Courts
Where fundamental rights are at stake, every citizen has direct access to constitutional courts.
⚖️ Constitutional Remedies
Article 226: Any person can approach the High Court of their state for enforcement of fundamental rights or any other legal right, through a writ petition.
Article 32: Any person can approach the Supreme Court directly for enforcement of fundamental rights. Dr. B.R. Ambedkar called this ‘the heart and soul of the Constitution.’
Individual affected students, parent associations, or civil society organisations can file writ petitions seeking an independent judicial inquiry into the OSM rollout and breach, directions for a mandatory third-party cybersecurity audit, a re-evaluation mechanism for affected students, and compensation for data exposure.
Scroll Down for reading the complete article
What Must Happen Now — A Citizen’s Demand List
Beyond individual legal action, this incident raises systemic questions about how India’s institutions handle the digital transition. Here is what civil society must demand:
— An independent judicial inquiry
Not an internal CBSE review committee. An inquiry led by a retired judge, with full access to procurement documents, vendor contracts, and technical audit logs.
— Mandatory cybersecurity audit before any digital rollout
No public examination board should be permitted to deploy a national-scale digital system without a certified third-party security audit, cleared by CERT-In.
— Full public disclosure of breach scope
CBSE must disclose exactly how many students’ data was accessible, for how long, and what categories of data were exposed. Silence is not accountability.
— Re-evaluation mechanism for affected students
Every student who received a blurred, incomplete, or incorrectly attributed answer sheet must have a clear legal pathway to demand re-evaluation — at no cost and without fear of penalty.
— Procurement transparency
The full RFP history, evaluation committee composition, and vendor selection rationale must be placed in the public domain.
The CBSE OSM Data Breach of 2026 is not simply an education story. It is a data governance story. It is a story about what happens when institutions digitise their operations without digitising their accountability — when technology is deployed at scale without the security, oversight, or legal compliance that scale demands.
India’s Data Protection law is young. Its enforcement machinery is still being built. But the constitutional framework — Article 21, the RTI Act, the jurisdiction of our courts — has existed for decades. These tools are available to you right now.
The students who brought this to light — a 19-year-old hacker and a 17-year-old who read government procurement documents so that others didn’t have to — are proof that informed citizens are India’s most powerful accountability mechanism.
Know your rights. File your RTI. Demand your answers.
This article is for informational purposes only and does not constitute legal advice. For specific legal action, please consult a qualified advocate.
Share your opinion
Email : knowyourrights005@gmail.com
Or click here










