The Central Board of Secondary Education (CBSE) will penalize on-screen marking (OSM) service provider Coempt Edu Teck over issues with marking of online Class 12 answer sheets, officials familiar with the matter said on Sunday, after users on social media platform
The Hyderabad-based company will be fined in line with the penalty provisions detailed in the August 2025 tender document, officials said.
The tender, issued on August 28, stipulates a set of successive financial penalties attached to the remediation timelines – including a fine of $$1,000,000 for every 15-minute delay in correcting an issue after a CBSE administrator reports it to the Help Desk – Blocking Security Deposits and Terminating Contracts.
Also Read: 3 Teenagers vs CBSE: How OSM Class 12 Paper Examination System Exploded, Board Corrects, Defends and Confronts It
However, the contract does not include provisions to blacklist the company for such lapses. In fact, the blacklist standard made it to the August tender, but was removed in the corrigendum issued on September 20, 2025. Coempt Edu Teck was awarded the contract on December 5.
Coempt Edu Teck did not respond to requests for comment.
The development comes after 19-year-old ethical hacker Nisarga Adhikary claimed in a post on X on Sunday that answer sheets stored in an Amazon Web Services (AWS) cluster – a cloud storage container for files such as documents, images and data – were publicly available online.
Also Read: “Show the faces of terrorists!”: Rahul Gandhi meets Vedant, student in middle of CBSE class, mocks familiar insults
“The CBSE staff did not configure their AWS suite properly and we can now number and enumerate all their media containing 2,026 answer sheets and question papers,” Adhikary said on X, while attaching screenshots of several copies of answers.
Nearly four hours later, the board said it was “closely monitoring vulnerabilities in our service provider’s OnMark portal that are flagged in the public domain.”
The council did not identify the service provider by name.
“An expert team of cybersecurity professionals has been deployed over the past few days from various government arms as well as IITs to harden these systems, including moving them to a more secure setup. The identified vulnerabilities have been contained, and other exploitable vulnerabilities are being ruled out,” the CBSE said.
CBSE officials did not formally respond to HT’s queries on details regarding the vulnerabilities in the OSM system, penalties and the alleged extent of the data breach.
A CBSE official, who requested anonymity, admitted the vulnerabilities and assured that the contractor would be punished.
“The vulnerabilities identified by the board show that there was a data breach related to student data. In the tender rules, there are comprehensive provisions to impose a penalty on the company if it is proven that there are deficiencies in the scope of work. Obviously, penalties will be imposed due to various issues, which we have identified and have now resolved,” the official said.
Another CBSE official said the answer booklet “has not been leaked”.
“Our record indicates that the answer book was not leaked. The data is now safe and we have fixed and patched all the vulnerabilities. There is no vulnerability in the system now. We will collect data for all issues in OSM including vulnerabilities in the portal and impose penalties in line with tender rules and guidelines,” said the official, who also requested anonymity.
Also Read: After CBSE ‘monitoring’ issues via OSM portal, hacker says ‘my work is done’
The August tender introduced service level agreements (SLAs) – measurable performance standards that a vendor must meet during operations. It has imposed penalties for two groups of errors – “serious errors”, which include information leakage, major lapses in checking answer texts, and security lapses; and “other errors”, including missing answer book pages during scanning, data security breaches, and discrepancies in data exported to CBSE.
Under the agreement, corrective action must be taken for each error identified, otherwise a penalty of Rs $1 lakh will be charged for every 15 minutes of delay outside the schedule specified by CBSE. Likewise, delay in submitting the root cause analysis and corrective action plan attracts a penalty $1 thousand for every 60 minutes of delay. The contract also stipulates a penalty of $5,000 per 60 minutes delay in providing on-site support, onboarding assistance, training manuals, manual documents and user guides required for smooth running of CBSE operations.
The bid also sets the trigger point for calculating the delay. The SLA clock starts when the CBSE administrator either sends an escalation to the designated helpdesk email ID or files a complaint through the helpdesk. CBSE will calculate the SLA starting from the time the complaint is registered with the Help Desk or the time of receipt of the escalation email, whichever is earlier, provided that this falls within the Help Desk working hours.
The September 2025 correction, however, restricted CBSE’s right to blacklist errant vendors.
A note in the August tender read: “The case will be placed before the Commission as decided by the CBSE. The Commission may send a show cause notice for forfeiture of PBG.” [performance bank guarantee]Inclusion in the blacklist and termination of the contract.”
However, shooting changed that.
“The note on page 131 of the tender document has been amended so that ‘the Committee may send a cause notice to forfeit PBG and terminate the contract,’” the correction said.
Additionally, a clause in the August tender stating that “if any of the ‘other errors’ is repeated by the bidder, CBSE reserves the right to forfeit the security deposit, blacklist and terminate the contract” was amended in the correction.
“If any of the ‘other errors’ are repeated by the bidder, CBSE reserves the right to forfeit the security deposit and terminate the contract,” the correction said.
Adhikari told HT that the security vulnerabilities in the Coempt portal are easily accessible.
He said the storage container’s root directory — the top-level folder containing all stored files — was publicly available and could be listed without any authentication.
“The root of the cluster was publicly listable, meaning anyone on the Internet could see the full list of files and folders stored within it,” Adhikari added.
