CBSE-OSM controversy highlights systemic cybersecurity flaws
The recent controversy surrounding the Central Board of Secondary Education (CBSE) and its Online Security Module (OSM) has exposed deep-rooted vulnerabilities in India's cybersecurity framework, according to experts. The issue, which came to light in June 2026, reveals that cyber risks often originate long before a breach occurs, stemming from inadequate audits, flawed procurement processes, and a lack of institutional accountability.
What happened: The CBSE-OSM breach
In early June 2026, reports emerged that the CBSE's OSM, a system designed to protect exam data, had been compromised. The breach potentially exposed sensitive information of millions of students. An investigation by cybersecurity analyst Karan Saini, published on June 20, 2026, indicated that the vulnerabilities were not just technical but procedural. The OSM was procured without rigorous security audits, and the vendor selection process lacked transparency, according to sources familiar with the matter.
Details: Procurement and audit failures
The investigation found that the CBSE did not conduct independent penetration testing or vulnerability assessments before deploying the OSM. Saini noted that "the procurement process prioritized cost over security," leading to the selection of a system with known weaknesses. Furthermore, the board failed to enforce regular security audits post-deployment, leaving the system exposed for months. A former CBSE official, speaking on condition of anonymity, stated: "There was a culture of complacency. We assumed the vendor would handle security, but that was a mistake."
Impact: Broader implications for India's cybersecurity
The CBSE-OSM case is not isolated. Experts argue that similar patterns exist across government agencies, where cybersecurity is often an afterthought. The breach could affect over 10 million students whose data may have been compromised, though CBSE has not confirmed the exact number. The incident has prompted calls for a national cybersecurity audit mandate for all public sector organizations. Saini emphasized that "India's cyber vulnerabilities begin long before a breach—they start with how we design, procure, and maintain systems." The controversy underscores the need for institutional accountability, with clear penalties for negligence in cybersecurity practices.
