The password was in the PDF. The PDF was on the internet.

Everyone is asking how CBSE got hacked. The better question is: why are we still surprised when institutions publish credentials in public documents and then wonder why their systems are compromised?

In 2024, a researcher flagged a government document circulating publicly — a neatly formatted table listing email addresses and their corresponding passwords for IED Resource Rooms across districts in Haryana. Column 1: location. Column 2: email. Column 3: password. Helpfully labeled. Publicly accessible. Basically a welcome mat.

(To be fair, at least they didn't use Post-it notes. They used a PDF. Progress.)

The warning was raised. Articles were written. The issue was documented. And then, as is tradition in institutional cybersecurity, nothing changed fast enough.

This is not about sophisticated hackers

When most people imagine a cyberattack, they picture a hooded figure in a dark room running elaborate exploit scripts against hardened infrastructure. The reality of many breaches in India's education sector is considerably less cinematic. It often looks more like: open browser, find document, read password, log in.

This is not a story about attackers being clever. It is a story about defenders not doing the basics.

"The issue was never a lack of warning. It was a lack of cyber hygiene, accountability, and ownership."

What "the basics" actually means

Every time a major breach makes headlines, organizations rush to discuss firewalls, zero-trust architectures, and threat intelligence platforms. Meanwhile, somewhere in a shared drive, there is a spreadsheet with passwords in column C.

The failures on display here were not exotic:

• Sharing credentials in plaintext public documents
• Using easily guessable passwords like "iedambala2" or "iedfatehabad"
• No visible MFA on government email accounts
• Treating each breach as a surprise rather than a pattern

(The password "iedambala2" suggests there was an "iedambala1" before it. One can only imagine the rigorous security review that prompted the upgrade.)

The fix is not complicated: rotate credentials, enforce multi-factor authentication, audit what's publicly accessible, and train humans — not just harden servers.

Systemic weakness isn't accidental — it's structural

India's education ecosystem involves hundreds of thousands of users across thousands of institutions, many of which have no dedicated IT staff, no security budget, and no clear ownership of digital hygiene. When a government document for coordinating resource rooms needs to be shared with field staff, someone makes a PDF. That PDF goes into a WhatsApp group, then onto a portal, then — if not carefully managed — into a search engine index.

This is not incompetence, exactly. It is the predictable outcome of deploying digital systems without deploying the supporting culture, training, and infrastructure to use them safely.

When a researcher flags a publicly exposed credential document and the response is silence — and then a breach occurs that could plausibly be connected — the lesson is not "we need better security tools." The lesson is: warnings need owners. Every flagged vulnerability should have an accountable human with a deadline.

The fix is boring. Do it anyway.

Cybersecurity for institutions at scale is not glamorous work. It is password managers and rotation policies and access audits and training sessions that people resent attending. It is the unglamorous plumbing nobody notices — until it fails spectacularly.

The CBSE episode, the OSM system controversy, and the exposed credential document from 2024 are not three separate stories. They are three chapters of the same one: a country scaling its digital public infrastructure faster than its digital safety culture. That gap will keep producing headlines until institutions treat cyber hygiene as a governance responsibility — not an IT department's problem to quietly absorb.

(Somewhere, a hacker is reading this and nodding appreciatively. Somewhere else, an IT officer is reading this and updating the password to "iedambala3". We can do better.)

#CyberSecurity #CyberHygiene #CBSE #DigitalGovernance #IndiaEducation #DataSecurity #CrisisCommunication #InfoSec