June 2026 |Konika Gayen| 7 Minutes Read
📋 Article Summary
In 2026, India’s three largest national examinations — CBSE Class 12, JEE Advanced, and NEET UG — each experienced a serious institutional failure involving student data, examination security, or both. This article examines all three, identifies the common legal and governance threads, and sets out the rights available to affected students and citizens under Indian law.
Introduction: When the System Fails Its Students
Every year, more than five crore students sit for major national examinations in India. For most Indian families, these examinations are not merely academic events. They are the culmination of years — sometimes a decade — of preparation, financial sacrifice, and deferred dreams. NEET determines who becomes a doctor. JEE determines who gets into an IIT. CBSE Class 12 results shape university admissions, scholarship eligibility, and family futures.
In 2026, all three failed their students. Not in isolated incidents — but in a pattern that reveals something deeply troubling about how India’s examination institutions have approached the digital transition.
Three examinations. Three different types of failure — a cloud data breach, a portal misconfiguration, and a physical paper leak with criminal networks reaching into the heart of the National Testing Agency itself. But one common thread: institutions that moved fast to digitise without building the security, oversight, and accountability that scale demands.
This article covers all three — what happened, who is responsible, and what legal rights are available to every student and citizen affected
CASE 1 — CBSE CLASS 12: THE OSM DATA BREACH
The OSM Rollout and Its Failure
For the 2026 Class 12 board examinations, CBSE introduced On-Screen Marking — OSM — at a national scale for the first time. Under this system, answer booklets would be scanned at examination centres, uploaded to a digital platform called OnMark, and evaluated by teachers online.
The vendor awarded the contract was Coempt EduTeck, a Hyderabad-based company (formerly Globarena Technologies). The contract was awarded on December 5, 2025 — just 66 days before the nationwide rollout was announced. Reports later revealed that during a dry run in January 2026, evaluators flagged significant problems with the system: marks discrepancies, no auto-save feature, a non-functional remarks tool, poor interface design, and excessive cognitive load. Evaluators reportedly preferred to mark manually. CBSE officials reportedly told them OSM would only apply to non-academic subjects. It was eventually rolled out across all subjects.
The results were catastrophic. Blurred scans. Missing pages. Wrong answer sheets attributed to the wrong students. Portal crashes. India’s national Class 12 pass percentage fell to 85.2% — the lowest in seven years, affecting over 17 lakh students.
The Cybersecurity Breach
Behind the evaluation failures lay an even more alarming discovery. Nisarga Adhikary, a 19-year-old ethical hacker, posted findings on X revealing that CBSE’s AWS S3 cloud bucket — containing scanned answer sheets and question papers of millions of students — was completely publicly accessible without any authentication.
The AWS feature called ListObjectsV2 — which lists all files in a storage bucket — was accessible without login, allowing anyone to not only see every file but download any scanned booklet across multiple institutions sharing the same bucket.
A 17-year-old student named Sarthak Sidhant — who had independently analysed CBSE’s public procurement documents — testified before the Parliamentary Committee on Education, presenting a seven-page submission alleging that the RFP eligibility criteria were progressively diluted across three rounds in a manner that appeared to favour Coempt EduTeck, which had already been linked to examination failures in Telangana in 2019 and 2023.
The Government’s Response
On June 3, 2026, the Centre removed CBSE Chairman Rahul Singh and Secretary Himanshu Gupta, appointing senior IAS officer Lokhande Prashant Sitaram as the new Chairperson. A one-member inquiry committee was constituted under S. Radha Chauhan of the Capacity Building Commission, to report within one month.
IIT Kanpur and IIT Madras experts deployed to secure the portal found that AI tools — reportedly including Claude — had been used to probe its vulnerabilities, and that the vendor lacked adequate conceptual understanding of portal security. CBSE’s data was subsequently moved to a government-managed AWS India segment. Financial penalties against Coempt EduTeck are being processed under the contract.
CASE 2 — JEE ADVANCED 2026: THE CLOUD MISCONFIGURATION
What Was Exposed
JEE Advanced 2026 was conducted by IIT Roorkee. Following the declaration of results, a 16-year-old cybersecurity researcher named Rylen Anil discovered that the cloud storage system linked to the results portal was misconfigured and publicly accessible without any authentication.
The exposure included approximately 1,79,600 result records and 1,87,300 admit card PDFs — containing candidate names, dates of birth, roll numbers, and examination results. IIT Roorkee publicly acknowledged the issue, thanked the researcher for responsible disclosure, and stated the data was in read-only format, meaning it could not be altered.
Key Point
‘Read-only’ does not mean ‘safe.’ Data in read-only mode can still be viewed, downloaded, copied, and sold. The protection against alteration does not protect against harvesting — and harvested personal data can be misused for identity fraud, targeted scams, or sale on data markets
The Institutional Response and Its Gaps
IIT Roorkee moved to fix the misconfiguration on priority. The Ministry of Education posted on X calling reports of a breach ‘misleading and factually incorrect,’ and stating that candidate data ‘remains completely secure, intact, and safe.’
However, both the institute and the ministry left critical questions unanswered — and citizens are legally entitled to those answers:
How long was the storage bucket misconfigured before the researcher discovered it?
Were access logs reviewed to determine whether any third party downloaded or enumerated the exposed data during that window?
What categories of personal data were contained in the exposed admit card PDFs — beyond names and dates of birth?
Has IIT Roorkee filed a report with CERT-In as required under cybersecurity incident reporting rules?
The DPDP Act 2023 requires a Data Fiduciary to notify the Data Protection Board in the event of a personal data breach. IIT Roorkee — as an institution processing candidate personal data — has this obligation. Whether this notification has been made has not been publicly disclosed.
Scale of the Crisis
NEET UG 2026 — India’s national medical entrance examination — was held on May 3, 2026 for 22.7 lakh aspirants. Within days, a devastating pattern emerged. Reports surfaced from Rajasthan that a guess paper circulating before the exam had matched the actual question paper with alarming accuracy. Investigators found that approximately 120 questions allegedly circulated through Telegram in Rajasthan matched those in the guess paper.
The question paper had been sold to select candidates for up to ₹12 lakh per student. The Rajasthan Police Special Operations Group began investigating. Multiple arrests were made. The case was transferred to the Central Bureau of Investigation.
On May 12, 2026 — nine days after the examination — the National Testing Agency made a historic announcement: NEET UG 2026 is cancelled. A re-examination would be held on June 21, 2026
The Criminal Network — and Its History
CBI’s investigation exposed the architecture of the leak. Among those arrested was Shivaraj Motegaonkar, owner of Renukai Chemistry Classes Coaching Institute in Latur, Maharashtra, described as a key accused with alleged links to NTA processes. Also arrested were Pune-based chemistry professor P.V. Kulkarni — who allegedly ran special classes where exam questions were dictated, with handwritten notes recovered matching actual exam questions — and biology professor Manisha Gurunath Mandhare.
What makes this far more alarming than a single-year failure is what the investigation also established: CBI found evidence that the NEET UG 2025 question paper was compromised by the same racket. This was not a one-time breach. It was a continuing criminal enterprise, operating within and around India’s examination system, across at least two consecutive years.
The Minister’s Admission
Union Education Minister Dharmendra Pradhan admitted publicly that there had been — in his own words — ‘a breach in the command chain.’ He announced that NEET would move to a computer-based examination format from 2027.
‘Breach in the command chain’ is plain language for: insiders were involved. The leak did not happen in spite of the system — it happened through the system. This is not merely an administrative failure. It is a criminal accountability failure.
The minister has not resigned. The same ministry that oversees NTA also oversees CBSE and the IITs conducting JEE Advanced. All three examination failures in 2026 fall within one ministry’s jurisdiction.
The Re-exam Portal Security Concerns
As students prepared for the June 21 re-examination, cybersecurity researcher Rylen Anil flagged critical vulnerabilities in the NTA re-examination portal itself — including an alleged superadmin login bypass. Claims of a RE-NEET 2026 data leak also surfaced on social media. NTA referred these complaints to CyberCrime for investigation.
The portal established to manage the re-examination of a cancelled exam had its own security vulnerabilities flagged within days of going live. This is the accumulated consequence of institutions that have consistently prioritised speed of deployment over security of implementation.
Continue Reading….
The Pattern: Three Exams, One Crisis
When one examination fails, it can be treated as an isolated incident. When three of India’s largest examinations fail in the same year — across three different institutions, three different types of failure — that is a systemic crisis. And systemic crises demand systemic analysis.
What All Three Have in Common
Beneath the surface differences — a cloud breach here, a paper leak there — the three cases share a troubling common architecture:
1. Rapid Digitisation Without Security Infrastructure
All three institutions were in the middle of major digital transitions in 2026. CBSE deployed OSM nationally for the first time. JEE Advanced moved to a new results portal infrastructure. NTA managed the largest medical examination in the world through digital candidate systems. In each case, the speed of technological deployment outpaced the security architecture required to protect it.
2. Third-Party Vendors Without Adequate Oversight
Both CBSE and NTA relied heavily on third-party technology vendors. Coempt EduTeck had a documented history of examination system failures in Telangana — yet won the CBSE contract 66 days before the national rollout. NTA insiders were allegedly part of the NEET leak network. In both cases, outsourcing technology became — intentionally or otherwise — a mechanism for outsourcing accountability.
3. Exposed by Young Indians, Not by Institutions
The cloud breaches at CBSE and JEE Advanced were not discovered by institutional security teams. They were discovered by a 19-year-old, a 16-year-old, and a 17-year-old using publicly available tools. The NEET procurement irregularities were compiled into a seven-page submission by a student who had just sat his board exams. India’s institutions did not find these failures — India’s students did.
4. Defensive Denial as the First Response
In each case, the institution’s initial response was defensive. CBSE pointed at the vendor. IIT Roorkee and the Ministry of Education called reports ‘misleading.’ NTA emphasised its security protocols as students’ exam was being cancelled. The pattern of deflection before accountability is itself an institutional failure.
5. One Ministry — Three Failures
CBSE, the IITs conducting JEE Advanced, and NTA conducting NEET all operate under the Ministry of Education, headed by Dharmendra Pradhan. The minister admitted a ‘breach in the command chain’ in NEET. Officials were removed at CBSE. The minister himself has faced no accountability. Under the Westminster doctrine of ministerial responsibility — still operative in India’s constitutional framework — a minister is answerable to Parliament for the systemic failures of institutions under his ministry’s supervision.
What You Can Do: A Citizen’s Legal Toolkit
Across all three examination failures, students and citizens have a common set of legal tools available. Here is a consolidated guide.
1.File an RTI — Right to Information(
The RTI Act 2005 gives every citizen the right to demand information from public authorities. CBSE, IIT Roorkee, and NTA are all public authorities under the Act.
CBSE: Demand the inquiry committee report, breach scope, pre-deployment security audit, and vendor contract terms
IIT Roorkee: Demand access logs, duration of cloud exposure, and CERT-In filing details
NTA: Demand internal security audit of the NEET portal, list of arrested individuals with institutional connections, and steps taken to prevent re-exam leak
2. File a Complaint with CERT-In(
The Indian Computer Emergency Response Team is India’s nodal cybersecurity body. Students, parents, and civil society organisations can report cybersecurity breaches related to all three examinations at cert-in.org.in. CERT-In can order independent security audits of affected systems.
3. Approach Consumer Forums
Students who paid examination fees to CBSE or NTA have a consumer relationship with those bodies under the Consumer Protection Act 2019. Where the service — a fair, secure, and properly conducted examination — was demonstrably not delivered, students can approach District Consumer Disputes Redressal Commissions for compensation and damages. This is an especially accessible remedy for NEET candidates whose examination was cancelled.
4. Approach the Courts
Article 226 — High Court: Any person can approach their state High Court for enforcement of fundamental rights or any other legal right. Writ petitions can seek re-evaluation, compensation, independent inquiry, or mandatory security standards.
Article 32 — Supreme Court: Any person can approach the Supreme Court directly for enforcement of fundamental rights. NEET candidates have already filed petitions; affected CBSE and JEE students can join or file fresh petitions.
The Supreme Court has previously held — in the context of NEET 2024 — that it has jurisdiction to direct systemic reforms to examination bodies when fundamental rights are at stake.
5. Write to Your MP
The Parliamentary Committee on Education has already taken up the CBSE OSM controversy. Every student and parent can write to their Member of Parliament demanding that the committee’s mandate be expanded to cover JEE Advanced and NEET, and that ministerial accountability be examined. Parliamentary pressure has historically been one of the most effective accountability mechanisms in India’s examination reform history.
What Must Change: Systemic Demands
Beyond individual legal action, this triple crisis demands structural reform. Here is what civil society, students, and legal advocates must collectively demand:
— covering all three examinations, with findings made publicA unified parliamentary inquiry
— no national examination system goes live without CERT-In clearanceMandatory pre-deployment cybersecurity certification
— with suo motu jurisdiction over institutional data breaches in the education sectorImmediate constitution of the Data Protection Board
— the agency that has now failed students in 2024, 2025, and 2026 requires independent review of its mandate, internal security protocols, and oversight mechanismsNTA structural reform
— vendor penalties must flow to affected students, not into institutional accountsStudent compensation mechanism
— the removal of officials below the minister is administration, not accountabilityFull ministerial accountability
A 19-year-old found CBSE’s answer sheets on the open internet. A 16-year-old found JEE Advanced candidates’ results sitting in an unauthenticated cloud folder. A 17-year-old read government procurement documents and presented a seven-page submission to Parliament.
None of them were hired to do this. None of them had institutional resources. They used publicly available tools, applied basic technical and analytical skills, and did what the institutions responsible for protecting students failed to do.
India’s examination failures of 2026 are not, at their core, a technology story. They are a governance story. They are a story about what happens when institutions prioritise the appearance of modernisation over its substance — when a new platform is launched before a security audit is completed, when a vendor’s history of failure is overlooked because they submitted the lowest bid, when a criminal network operates across two consecutive years before it is caught.
The Digital Personal Data Protection Act exists. The RTI Act exists. The Constitution’s fundamental rights exist. The courts are open.
Use them. Know your rights. Demand accountability
This article is for informational purposes only and does not constitute legal advice. For specific legal remedies, please consult a qualified advocate.
Write Feedback
Read More….
- Can a Doctor Lose Their License for What They Say at a Comedy Show?

- Rights of Content Creators in India: What the Law Protects — and What It Doesn’t

- DIGITAL PERSONAL DATA PROTECTION ACT, 2023

- RIGHT TO PRIVACY IN INDIA

- Stop Eating Newspaper-Wrapped Food: FSSAI Issues Fresh Warning After Mumbai Vada Pav Incident


