Order an independent security audit of CBSE’s OSM portal, activists tell Education Ministry

The Internet Freedom Foundation (IFF), a digital rights advocacy organisation, has urged the Ministry of Education to direct the CBSE to undertake an end-to-end review of the contract with Coempt EduTeck Pvt. Ltd, the company that allegedly provided tech infrastructure for handling the Board’s Onscreen Marking (OSM) platform ‘OnMark’.

The review should address issues the procurement process, security certifications obtained prior to deployment, the vendor’s contractual obligations on secure development, vulnerability remediation, breach notification and forensic cooperation, the indemnification, liability cap and audit-rights provisions, and termination conditions, the IFF said in a letter to the Education Ministry and the Ministry of Electronics and Information Technology, written in light of growing complaints from CBSE students on exam evaluation via OSM.

“Pending the review, the CBSE should not extend or renew the said contract, and should place a moratorium on further onboarding of evaluators or expansion of the OSM platform to other subjects or boards. The OnMark platform is deployed across other examination boards; the systemic character of the defects therefore implicates a wider set of public sector users than the CBSE alone,” the letter stated.

“An independent security audit of the OSM portal and the underlying infrastructure must be commissioned by the Ministry of Education, conducted by an auditor not previously engaged by the CBSE or the vendor, with the executive summary placed in the public domain,” the IFF said.

Digital assessment

The CBSE has maintained that contracts are awarded through standard general financial rules and protocols via the Central Public Procurement portal. 

Coempt EduTeck Private Limited, said to have formerly operated under the name Globarena Technologies, is a Hyderabad-based education tech company that provides digital learning and assessment solutions to universities, government education boards and autonomous institutions across India. 

Telangana experience

In 2018-19, the Telangana State Board of Intermediate Education contracted Globarena Technologies to digitise and manage the result-processing infrastructure for the State’s intermediate public exams. The steps included OMR sheet digitisation and data capture, automated result processing and mark tabulation, re-evaluation workflow management and handling the back-end of administration.

In April 2019, when the results were published, over 4,200 students in the Maths, Economics and Commerce stream discovered they had received single-digit scores in Maths. Also, students found their practical exam marks missing from records. Some students who had physically appeared for exams were incorrectly recorded absent. The confusion preceded the suicide of at least 20 students, whose deaths were publicly linked to the result chaos. 

The Telangana government constituted a three-member expert committee to look into the matter. The panel found that Globarena’s system had never been benchmarked against previous years’ examination data to verify its accuracy. The software had been deployed without proper testing protocols and certification. Inadequate software design and the absence of robust quality assurance processes were flagged. The Telangana government later terminated its association with the firm. 

Vulnerabilities flagged

Cybersecurity researchers have reported vulnerabilities in the OSM portal run by the CBSE to the Ministry of Electronics and Information Technology’s Computer Emergency Response Team (CERT-In). They have flagged potential issues such as impersonation of examiners, unauthorised access to evaluation dashboards, the risk of altering student marks, and the risk of exposure of teacher credentials, evaluator information and financial data associated with examiner accounts. 

“A forensic review of evaluation activity in that period, in respect of unauthorised mark alterations, password changes and account takeovers, should be conducted and its methodology and findings published,” the IFF said in its letter.

While CBSE has stated that the vulnerabilities were only in the test site containing sample data, cybersecurity researchers have disputed the CBSE’s statement by presenting video evidence that the hardcoded master password (which could be located by any person with basic knowledge of browser developer tools with a simple text search) granted access not only to the test site but to systems containing live production data. 

Researchers have also questioned whether the distinction between a test site and the production system was meaningful if both shared the same codebase and security vulnerabilities.