CBSE's OSM Controversy Is About More Than Marks. It's About Trust

For decades, exams followed a relatively straightforward process. The student wrote the answer booklet, which was then submitted, collected, transported, securely stored, evaluated, stored again, and finally converted into results.

Modernisation of exams, reduction of human error, and efficiency at a massive scale were the objectives of CBSE’s on-screen marking (OSM) system. The CBSE’s answer sheet is now part of a largely digital examination system, reflecting a fundamental shift in how evaluations are conducted.

It is not the first time the CBSE’s digital infrastructure has come under scrutiny. Digitisation does increase systemic risks; however, with sound governance and appropriate frameworks, it can also improve efficiency.

When concerns around the examination evaluation emerged, it affected scores, privacy, and accountability. But the real story is beyond marks. It is about trust.

I examined all the different reported allegations available in the public domain in the ongoing CBSE controversy and their potential impact to establish how it's not an isolated operational lapse but raises a broader question of governance and accountability.

A 360-degree structured assessment suggests several explanations may coexist behind the allegations circulating online, although many require independent verification.

There are four hypotheses with currently high or very high confidence.

Then, there are six hypotheses with moderate confidence. Here, possible vendor incompetence is moderately high confidence and data exposure is moderately low.

Finally, there are three hypothesis with low confidence.

It's important to note that this assessment is provisional and should be audited against future findings.

Where there is an evidence of deliberate concealment or manipulation, independent audit confirming that the platform was technically robust and fit, there would be evidence of rigorous technical due diligence conducted at regular intervals with traceable audit logs, the errors in CBSE examination results would have appeared random with an inclination in operational failures.

Based on the publicly available available material analysed, these questions remain unanswered.

The integrity of any examination system completely depends upon the technology used, infrastructure, and governance. Students name, roll number, school information, handwriting samples, signatures and other personally identifiable information represent a vast volume of sensitive personal data. In the absence of strong safeguards, significant privacy risks can emerge.

Who investigates when a digital system is challenged? Who preserves the logs for audit and verification? Who verifies whether answer sheets were processed correctly? Who determines whether the issue was a result of a human error, a software failure, immature digital ecosystems, configuration irregularities, irresponsibilities or malicious activity?

The concern is whether audits and cybersecurity assessments are done independently and acted upon in time or if it is treated as a formal compliance check box activity. From the media reports on Computer Emergency Response Team (CERT-In)'s prior notification to CBSE, the questions are:

• Who got the CERT notification?

• Was it actioned? If not, why was it not actioned?

• Is is related to the same portal?

• Who is accountable?

• Who is responsible for incident response?

• Are the audit logs preserved?

Immediately after the controversy, several claims of unauthorised access to CBSE’s digital ecosystem, access to extremely sensitive information—alleged master passwords were found in the open forums, leaked credentials that are currently estimated more than 6,879 found in leaked databases that contain user ID, passwords, URLs including that of GEM which is the procurement portal—in the darknet, Telegram, and open internet channels between 2022 to 2024.

Some red flags found during research include a 2021 Telegram exchange in which a user asked for the CBSE Class 12 question paper and other users responded with a contact, with payment allegedly sought in Bitcoin. Another example is from various Telegram channels sharing CBSE 10th class papers, link to the YouTube video is private.

While the authenticity of that remains unconfirmed and should not be treated as proof of a leak, it is still a relevant red flag that warrants investigation. These patterns raise questions but should not be independently taken as an established misconduct unless probed.

At minimum, this shows that examination-related material was being discussed way before the present controversy in illicit marketplaces. There may have been a perceived ecosystem for monetising access, whether real, fraudulent or opportunistic. The same is true for many other examinations of national and regional importance.

This controversy is an example of the risks that can arise when a large examination system digitises the entire chain of education artefacts without visibly mature frameworks for data privacy, cybersecurity, traceability and independent oversight.

Until these questions are answered, the controversy will remain about more than marks.

(Dr Malvika Mehta is a cyber intelligence and investigations specialist working across digital forensics, OSINT, darknet intelligence, crisis management, and risk advisory. She is the founder of BLK CORAL INTELLIGENCE, an intelligence-led risk advisory firm.This is an opinion piece and the views expressed are the author's own. The Quint neither endorses nor is responsible for them.)