When the Classroom Can't Lock Its Own Door: The Cybersecurity Crisis in India's Education Sector

AI tools breaching CBSE portals. Government education credentials stored in plaintext. Vendor tech found "seriously deficient." India's education system is failing the most basic test — and the stakes go far beyond exam results.

The Report Card No One Wanted to See

Two images tell a story that should alarm every parent, student, policymaker, and educator in India.

The first: a publicly accessible government education portal displaying district-wise login credentials — email addresses and passwords — for institutional accounts across multiple Haryana districts. Not hashed. Not encrypted. Not hidden behind any meaningful access control. Plaintext. Visible to anyone with the URL.

The second: a front-page Economic Times report revealing that a high-level IIT panel — convened to review the security of CBSE and its Online Submission and Marking (OSM) portals — found that powerful AI tools, including Claude, were being used to detect portal vulnerabilities and gain access. The panel's conclusion was blunt: vendor tech was found "seriously deficient."

Together, these two data points do not describe an isolated incident. They describe a systemic failure — one that runs from state-level school administration all the way to India's most prestigious national examination body.

The education sector, the institution most responsible for teaching the next generation about digital safety, integrity, and responsibility, cannot secure its own house.

What the IIT Panel Actually Found

The expert panel drawn from IIT Kanpur and IIT Madras was deployed to secure the CBSE's OSM portals following a serious breach. What it found was damning on multiple levels.

Powerful AI tools were being used to probe the CBSE portal for vulnerabilities — and they were finding them. The portal reportedly experienced a denial-of-service attack causing 1.5 million hits within two minutes, alongside more than 100,000 unauthorised file access attempts. These are not the fingerprints of casual mischief. They are the signatures of a coordinated, sophisticated operation.

The panel also found that the CBSE's OSM vendor — Coempt Edutech — did not have adequate capability or conceptual knowledge on portal security mechanisms. In other words, the organisation entrusted with running the digital infrastructure for one of India's most consequential examinations did not understand the security requirements of the system it was being paid to operate.

In response, MeitY shifted the CBSE-OSM data from the private vendor to a government-managed Amazon Web Services (India) environment. CERT-In was directed to conduct a full security audit. The National Testing Agency was brought in to check against further incidents. Copies of admit cards linked to JEE Advanced had already surfaced on social media — raising acute concerns over data breaches affecting more than 2.2 million students.

Simultaneously, the NTA itself was closing down several digital assets that had gone dormant or into disuse — assets that could offer a gateway to hacking, officials noted. The phrase "gateway to hacking through disused digital assets" should not exist in any sentence about an organisation that runs India's national entrance examinations.

The Plaintext Password Problem: A Foundational Failure

The Haryana IED portal incident represents a different — and in some ways more alarming — category of failure. Not a sophisticated AI-assisted breach. Not a coordinated denial-of-service attack. Just credentials stored and displayed in plaintext on a government-hosted URL.

In cybersecurity, storing passwords in plaintext is not a minor oversight. It is a foundational failure — the equivalent of leaving the school's master key hanging on the front gate with a label identifying it. Every cybersecurity framework, from the most basic IT hygiene guidelines to advanced compliance standards, treats plaintext password storage as an unacceptable practice. It has been unacceptable for decades.

The fact that this practice exists in a government education system in 2026 — in the year that India is positioning itself as an AI and digital superpower — is not just a technical problem. It is a governance problem, a procurement problem, and an accountability problem all at once.

Who specified the security requirements for this portal? Who approved the implementation? Who audited it? Who is responsible for the institutional accounts of teachers and administrators across dozens of districts whose credentials are now effectively public?

These are not rhetorical questions. They are the questions that a functioning digital governance system must be able to answer — and right now, the education sector cannot.

The Ethics of Preaching What You Cannot Practice

Here is where the failure moves beyond the technical and becomes genuinely ethical.

India's education system teaches children about digital literacy. Schools run awareness campaigns about online safety. Students are told not to share passwords, not to use weak credentials, to be vigilant online. The CBSE curriculum includes computer science, information technology, and — at higher levels — cybersecurity concepts.

And yet the institutions delivering that education store their own credentials in plaintext. Their exam portals are breached. Their vendor tech is found deficient. Their data governance is reactive rather than proactive.

This is not merely hypocrisy. It is a credibility crisis.

When an institution teaches one thing and practices another, it sends a message far more powerful than any lesson plan. Students watching the CBSE portal breach unfold — students who sat that exam, whose admit cards circulated on social media, whose personal data was exposed — are not learning about cybersecurity from a textbook. They are learning from lived experience that the institutions responsible for their futures do not take their data seriously.

That lesson will last longer than anything on the curriculum.

Why the Education Sector Is a Prime Target

Part of the problem is that education has historically been treated as low-risk from a cybersecurity perspective — a sector that holds sensitive data, yes, but not the kind of data that attracts serious adversaries.

That assumption is wrong, and dangerously outdated.

Education systems hold extraordinarily valuable data: personal identification information for millions of students and families, financial data through fee payment systems, health records through welfare schemes, biometric data through Aadhaar-linked enrolment, and — critically — examination data that can be monetised through paper leak networks that have proven deeply damaging to India's national examination credibility.

Cyberattacks on education have surged globally. In the UK, schools have been among the most targeted organisations for ransomware attacks. In the United States, school districts have paid millions in ransom to recover encrypted student records. In India, the repeated controversies around paper leaks — while not all attributable to digital breaches — create a market incentive for exactly the kind of portal probing the IIT panel found evidence of.

The attackers know the value of the data. The institutions holding it have been slower to catch up.

The Vendor Accountability Gap

One thread running through both incidents is vendor failure. The CBSE's OSM vendor was found to lack adequate technical capability. State-level education portals are built and maintained by vendors who may have won contracts through processes that prioritised cost over competence.

This is the real structural problem. Cybersecurity cannot be an afterthought in government technology procurement. It cannot be a checkbox on a tender document that a vendor ticks without possessing the underlying capability. And it cannot be left to post-breach panels to diagnose — by which point the damage is already done.

The advisory that emerged from the CBSE controversy — sent to key government departments and bodies on cybersecurity hygiene in digital services procurement — and the request for proposals from the design stage itself represents the right direction. But advisories and requests for proposals are only as strong as the enforcement and audit mechanisms behind them.

MeitY's focus on exercising caution in procurement following the CBSE controversy is welcome. What is needed now is a binding cybersecurity standard for all government education technology vendors — with mandatory pre-deployment penetration testing, credential management requirements, and ongoing audit obligations — that is enforced, not merely recommended.

What Good Looks Like — and How Far Away It Is

Good cybersecurity in education is not complicated in principle. It requires password hashing as a baseline non-negotiable. It requires multi-factor authentication for institutional accounts. It requires penetration testing before any public-facing portal goes live. It requires incident response plans that are tested, not just documented. It requires vendor due diligence that includes technical capability assessment, not just price comparison.

None of these are exotic. They are standard practice in any reasonably governed digital organisation.

The gap between that standard and the current state of India's education sector digital infrastructure is wide. Closing it requires treating cybersecurity not as a cost centre to be minimised during procurement, but as a core function of educational governance — as fundamental as keeping school buildings structurally sound.

An institution that cannot protect the data of the students it serves has forfeited a measure of the trust on which the entire educational relationship depends. In an era where students' academic records, personal identities, and examination outcomes are all managed digitally, that trust is not a soft value. It is the operational foundation of the sector.

The Bottom Line

India's education sector stands at an inflection point. It can continue treating cybersecurity as a peripheral concern — patching breaches reactively, replacing vendors after failures, issuing advisories that gather dust — and face escalating incidents as adversaries grow more sophisticated.

Or it can recognise that an education system that does not secure its own data has lost the moral authority to teach anyone else about digital safety.

The students watching are taking notes.

The institutions that fail this test will not just lose data. They will lose something harder to recover: credibility.

Tags: CBSE · Cybersecurity · India Education · Data Breach · IIT Panel · MeitY · CERT-In · Digital Governance · Vendor Accountability · Student Data Privacy · NTA · Digital India