Data Stripped From Vendor: CBSE Retains COEMPT for Scanning Amid Structural Server Evacuation

The board responds to intense system vulnerabilities and a 3.8-million-packet cyberattack by executing a full structural migration to internal IT infrastructure.

The Central Board of Secondary Education (CBSE) has executed an emergency structural overhaul of its digital evaluation architecture. On Saturday, board directors confirmed that all student records, scanned files, and database structures tied to the controversial On-Screen Marking (OSM) system have been stripped from the private servers of Hyderabad-based vendor COEMPT Eduteck Pvt Ltd. The entire digital apparatus has been migrated onto sovereign, board-controlled cloud infrastructure.

Despite this major server evacuation, the board has chosen to retain COEMPT exclusively to handle the physical scanning of answer booklets required for the ongoing post-result re-evaluation cycle. The decision to split the contract—keeping the vendor for mechanical scanning while completely removing its data hosting privileges—arrives as the board scrambles to contain the massive CBSE OSM controversy that has drawn intense scrutiny from parliamentary committees, ethical hackers, and opposition leaders.

Also Read | Imran Khan and Bushra Bibi Sentenced to 17 Years in Jail

Red Team vs. Blue Team: The 10-Day Elite Security Audit

The emergency server migration follows a series of sophisticated, high-volume cyberthreats targeted directly at the board’s post-result portal. On June 3, state defense networks successfully intercepted a massive Denial-of-Service (DoS) attack that directed over 3.8 million malicious data packets at the re-evaluation gateway within a two-minute window.

To secure the system, the Ministry of Education deployed elite cybersecurity divisions from IIT Kanpur and IIT Madras to conduct an emergency ten-day penetration audit.

The joint academic task force implemented a strict “Red Team-Blue Team” defense framework. Engineers from the Digital India Corporation (DIC) acted as the Blue Team, rewriting flawed application code and strengthening the software architecture. Concurrently, the IIT Kanpur division operated as the Red Team, launching continuous simulated exploits to identify hidden system flaws.

The audit was also influenced by a series of vulnerabilities exposed by an independent 17-year-old ethical hacker named Nisarga, whom the board officially invited into the command center to map out system weaknesses. While technical supervisors report that no student marks or private biographical data were stolen during the recent cyber incidents, the threat landscape made relying on external third-party hosts an absolute institutional liability.

Splitting the Operations: Scanning vs. Data Control

Defending the decision to keep COEMPT for physical scanning tasks, senior IT auditors clarified that the mechanical processing of paper sheets was not the source of the platform’s security vulnerabilities.

Because the mechanical error rate during the main evaluation cycle was limited to roughly one out of every ten thousand pages, officials expect no major delays during the cleanup process. COEMPT engineers have been banned from managing the network layers, but they remain on-site under tight supervision to guide internal IT desks through the custom data migration scripts.

Also Read | Imran Khan and Bushra Bibi Sentenced to 17 Years in Jail

The Broader Tender Integrity Standoff

The infrastructural shift occurs against the backdrop of an intensifying political battle regarding how the ₹384-crore digital marking contract was originally awarded.

A detailed data review published by 17-year-old student investigator Sarthak Sidhant exposed that the CBSE systematically modified its Request for Proposal (RFP) conditions across three consecutive bidding rounds. The rule changes included altering historical blacklisting clauses and dropping maximum allowed scanning error margins, allowing COEMPT to narrowly defeat tech giant Tata Consultancy Services (TCS) by a margin of just two points in the technical round.

Institutional Response: Reaffirming the board’s revised position, an official associated with the technical audit stated that data security demands complete institutional ownership. “When security is a concern, it is naturally better to have the system under CBSE’s control rather than depend entirely on a vendor’s servers,” the official clarified.

With more than 70,000 student grievance applications currently active in the system, the board has extended its post-result filing deadline to ensure all medical and engineering aspirants can safely access readable copies of their answer sheets.

FAQ Section

Why is the CBSE keeping COEMPT if their servers were compromised?

The CBSE has restricted COEMPT’s role to the physical scanning of paper answer books. The technical audit showed that the vendor’s physical scanning units were reliable, with an error rate of just 1 in 10,000 pages. However, to ensure security, all data hosting and software management have been stripped from the vendor and moved in-house.

What did the IIT Kanpur and IIT Madras security audit reveal?

The elite engineering teams executed a ten-day “Red Team-Blue Team” cybersecurity exercise, finding multiple code vulnerabilities within the portal. While they confirmed that no student data theft occurred during the June 3 cyberattacks, they ordered an immediate migration of all data to CBSE-controlled servers.

How many students have filed complaints regarding the 2026 OSM evaluation?

As of June 4, 2026, the CBSE post-result services portal had logged 70,433 student applications. This total includes 7,314 requests for simple mark verification and 63,119 formal applications demanding full paper re-evaluation due to poor scanning quality or skipped answers.

Also Read | Imran Khan and Bushra Bibi Sentenced to 17 Years in Jail

End…