After CBSE OSM Row, NTA’s Re-Examination Portal Comes Under Cyber Security Spotlight as Researcher Claims Data Exposure

The controversy surrounding the On-Screen Marking (OSM) system of India’s Central Board of Secondary Education (CBSE) has yet to subside. Meanwhile, the retake-exclusive portal operated by India’s National Testing Agency (NTA)—the national body responsible for organizing all state-level educational examinations across the country—has entered an industry-scrutinized cybersecurity review after critical cybersecurity flaws were exposed.

In recent years, the digital transformation of India’s education sector has accelerated. The growing adoption of digital examination systems has allowed various online exam service platforms to cover more than 90% of the country’s national-level examination operations.

These platforms store core sensitive data of tens of millions of test-takers, including personal identity information, home addresses, payment records, and student academic files, whose security and stability directly shape the public credibility of the entire digital education system.

India’s medical education and licensing framework is governed through multiple internationally recognized authorities such as the National Medical Commission (NMC), which regulates medical education standards and ensures compliance for Indian medical graduates.

Alleged Vulnerability in NTA Retake Portal

In this latest incident, allegations put forward by an independent third-party cybersecurity researcher have not yet been officially confirmed by the NTA.

The researcher claims that the NTA’s retake exam portal contains an unpatched privilege bypass vulnerability, which could lead to the illegal theft of large volumes of test-takers’ sensitive data stored on the platform’s backend servers.

Stakeholder Concerns in Digital Exam Systems

The two consecutive incidents involving digital education platforms are not isolated cases.

The security flaws uncovered in the NTA’s platform have triggered widespread concerns among four core stakeholder groups:

• Test-takers worry their personal information will be resold and used for admissions fraud.
• Parents are anxious that their children’s privacy and security cannot be guaranteed.
• Educators fear that the credibility of national-level examinations will be damaged.
• Cybersecurity professionals note that these widespread security vulnerabilities have become a core barrier to India’s digital education transformation.

Sensitive Data Managed by NTA and CBSE

India’s two core bodies responsible for administering national exams, the National Testing Agency (NTA) and the Central Board of Secondary Education (CBSE), store seven categories of sensitive data across their exam and enrollment systems.

These include:

• Students’ personal identity information
• School enrollment status
• Exam scores
• Family details
• Exam administration workflows
• Confidential test preparation materials
• Exam center scheduling data

A successful cyberattack, or even the public reporting of a security vulnerability, could trigger multiple harms such as data breaches, disrupted exam operations, and the collapse of public trust.

For institutions managing national examinations, building a strong cybersecurity defense line is essential for maintaining credibility.

CBSE OSM System Clarification

Earlier, an independent researcher pointed out that a digital assessment platform linked to CBSE’s Online Screen Marking (OSM) system had security loopholes.

CBSE promptly released an official clarification stating that the system in question was only an internal test environment loaded with simulated sample data, not a real platform used for formal exam administration, and that the live online system used for actual exams had not been affected in any way.

This controversy highlights that educational institutions storing massive volumes of high-value data have long become key targets for cybersecurity researchers, white-hat hackers, and malicious attackers.

Rising Cybersecurity Risks in Education Technology

Subsequent reports of security concerns over NTA’s official exam portal further amplified a collective industry-wide call to strengthen the security frameworks of education technology platforms.

The global cybersecurity threat landscape is evolving rapidly, and educational institutions generally face five common risks:

• Unauthorized data access
• Phishing attacks
• Ransomware attacks
• System configuration vulnerabilities
• DDoS traffic attacks

Impact on Students and Examination Integrity

These risks ultimately spill over to impact test-taking students. The six types of anxiety that can stem from exposure of vulnerabilities include:

• Manipulated exam scores
• Personal information leaks
• Last-minute exam cancellations
• Maliciously altered rankings
• Disrupted enrollment processes
• Identity theft

For test-takers of highly competitive exams that rely heavily on digital platforms, the impacts are particularly severe.

Expansion of Digital Education Ecosystem

With the widespread popularization of college admission guidance resources serving India’s medical exam preparation community, such as MBBS Advisor, the digital transformation of India’s education sector has covered the entire chain spanning from private college admission consulting to official enrollment and assessment, making cybersecurity a critical pillar.

World Recognition of Medical Education Standards

Global recognition of medical institutions is tracked through the World Directory of Medical Schools (WDOMS), which is widely used for verifying whether a foreign medical degree is eligible for licensing pathways in India and other countries.

Public health and global medical standards are guided by the World Health Organization (WHO), which sets international benchmarks for healthcare systems, medical education, and safety protocols.

Eligibility Requirement for Indian Students

For Indian students, eligibility for medical education abroad begins with qualifying the National Eligibility cum Entrance Test (NEET), which remains a mandatory requirement for studying MBBS overseas and later returning for licensing exams in India.

Cybersecurity Roadmap for Education Authorities

Drawing on analysis of two recent security breaches of India’s official education systems involving CBSE and NTA, the authors develop a cybersecurity roadmap for education authorities.

Mandatory Security Measures

First, they lay out 7 mandatory hard security measures:

1. Conducting regular independent security audits
2. Launching vulnerability disclosure programs for ethical hackers
3. Implementing multi-factor authentication across all scenarios
4. End-to-end encryption for storage and transmission of sensitive data
5. Real-time continuous security monitoring
6. Regular employee security awareness training
7. Standardized security incident response plans

Transparent Communication Framework

The authors also establish a soft governance module for transparent communication, outlining five core values:

• Reducing misinformation spread
• Sustaining public trust in education systems
• Demonstrating accountability
• Providing timely updates on fixes
• Supporting affected users

Cybersecurity as a Continuous Responsibility

Finally, the authors reject the misconception that cybersecurity is a one-time investment and emphasize that continuous protection is essential for national education systems.

Conclusion

The full details of recent cybersecurity incidents in the education sector will ultimately be clarified through official investigation.

All educational institutions must prioritize cybersecurity as a core requirement.

As digital systems continue to expand across education, building a secure, transparent, and resilient examination infrastructure is essential to protect student data and maintain public trust.