CBSE acknowledged vulnerabilities in its OnMark platform for Class 12 answer sheets after public disclosure by ethical hackers.
The board deployed cybersecurity experts from government and IITs to fortify the system and contain the identified weaknesses.
Ethical hacker Nisarga Adhikary reported the vulnerabilities to CBSE in February, highlighting poorly managed infrastructure and easily guessable passwords.
The On-Screen Marking platform had 9.3 million columns and rows of sensitive student data, including unprotected answer sheets.
Detailed Insights:
Nisarga Adhikary discovered that an Amazon Web Services (AWS) bucket containing answer sheets and question papers was accessible without authentication.
COEMPT Eduteck, CBSE’s technology vendor, allegedly stored data in AWS public buckets without proper security checks, raising data sovereignty concerns.
Sensitive student data was reportedly processed by Google’s Gemini in automation scripts, raising concerns about data privacy and potential violations of data privacy laws.
The incident highlights the importance of robust cybersecurity measures and adherence to data privacy laws in handling sensitive student information.
Key Concepts Involved:
Ethical Hacking: The practice of testing a system to find vulnerabilities that a malicious attacker could exploit.
Data Sovereignty: The concept that data is subject to the laws and governance structures within the nation it is collected.
Data Privacy Laws: Regulations that govern the collection, storage, and use of personal data to protect individual privacy rights.