What exactly was the CBSE AWS bucket incident?

Answer sheets of approximately two million Grade 12 students were found openly accessible in a public AWS S3 bucket due to a misconfiguration by a third-party contractor working with CBSE.

How many students were affected by the exposure?

Approximately two million Grade 12 students' answer sheets were potentially viewable by unauthorized parties.

Was the exposed data real or just test data?

CBSE claimed the compromised portal was a testing or demo environment, but security researchers found that the bucket's contents were real answer sheets and the configuration failure itself was undeniable.

Who is responsible for the bucket misconfiguration?

The third-party contractor COEMPT Eduteck, which managed the digital evaluation system for CBSE, was responsible for the misconfigured AWS bucket.

What response has there been to the breach?

CBSE initially denied any breach but later acknowledged security gaps; opposition leaders in Congress have called for a formal government investigation into the incident.

CBSE AWS Bucket Misconfiguration Exposes 2 Million Students

A major data breach allegation is shaking India's education system. Opposition leaders in Congress have flagged that answer sheets belonging to approximately two million Grade 12 students were left openly accessible in a public AWS bucket managed by a third-party contractor working with the Central Board of Secondary Education (CBSE). The CBSE student data breach AWS incident has prompted calls for a government investigation and raises uncomfortable questions about how sensitive student data is handled at scale.

CBSE initially denied any breach occurred, but later acknowledged security gaps in its On-Screen Marking portal after an ethical hacker named Nisarga Adhikary brought the exposure to light. The contractor at the center of the controversy is COEMPT Eduteck, the technology vendor responsible for managing the digital evaluation system.

What Was Exposed: Scope of the CBSE AWS Bucket Misconfiguration

The core of the problem is straightforward but serious. AWS S3 buckets, a common cloud storage service, have fine-grained access controls that must be deliberately configured. When those settings are left open or set to public by mistake, anyone who knows how to look, and often anyone who simply stumbles upon the URL, can browse, download, or enumerate the files inside.

In this case, security researchers reportedly found that the bucket's contents could be paginated and listed, meaning files were not just accessible but easily browsable. For a dataset involving two million Grade 12 students' answer sheets, that represents a significant quantity of sensitive academic records potentially viewable by unauthorized parties. The students whose work was exposed had no knowledge of the risk and no ability to prevent it.

CBSE's after-the-fact claim that the compromised portal was only a testing or demo environment does little to resolve the underlying concern. Whether the exposed data was real or not, the configuration failure was real, and it reflects a pattern of inadequate cloud security hygiene.

Who Is Responsible: The Third-Party Contractor Problem in Government EdTech

This incident highlights a structural problem that extends far beyond CBSE. Government agencies and educational institutions routinely outsource their technology infrastructure to third-party vendors. When a breach or exposure occurs, the chain of accountability becomes murky. Was COEMPT Eduteck given proper security requirements by CBSE? Who audited the configuration before the system went live? Who is liable for the exposure?

These are not rhetorical questions. The answers determine whether meaningful consequences follow, or whether institutions simply issue denials, quietly patch the problem, and move on until the next incident. Congress's demand for a formal government investigation is a reasonable response, but investigations alone do not restore privacy for students whose data may already have been accessed.

The third-party vendor problem is not unique to India. Across the world, government bodies and educational institutions routinely extend trust to contractors whose security practices they neither fully understand nor consistently audit. This is a systemic failure, not an isolated one.

Why Institutional Failures Put Every Student at Risk

Students submitting exam answer sheets have no meaningful choice in the matter. They cannot opt out of the digital evaluation system, negotiate different data storage terms, or verify how their information is secured. They must trust that the institutions responsible for their academic futures are also responsible custodians of their data.

The CBSE case illustrates why that trust is often misplaced. Just as government agencies have faced criticism for purchasing and sharing sensitive personal data without public knowledge, educational institutions can expose student data through negligence rather than intent, with similarly serious consequences.

Once data is exposed in a publicly accessible cloud bucket, there is no reliable way to determine who accessed it, copied it, or retained it. The exposure window may have been open for hours, days, or longer before discovery. That uncertainty is itself a harm, independent of whether anyone with malicious intent actually exploited the access.

For students, the data in question is not just personally identifying. It includes academic performance records tied to their identities at a high-stakes moment in their education. That information could be used in ways ranging from targeted scams to academic fraud, depending on who accessed it.

How Students and Families Can Protect Their Data When Systems Fail

The honest answer is that no personal privacy tool can prevent an institutional misconfiguration. Students cannot encrypt their own answer sheets before submitting them. They cannot stop a contractor from leaving an S3 bucket open. Institutional failures require institutional accountability.

However, there are practical steps individuals can take to reduce their broader exposure when systems they depend on prove untrustworthy.

Monitor for data exposure. Services that track whether your email address or personal details appear in known data breaches can alert you when your information surfaces in unauthorized places. Acting quickly after a breach, by changing passwords and enabling two-factor authentication on linked accounts, limits downstream damage.

Limit the data you share voluntarily. Educational portals often ask for more information than they strictly need. Providing only what is required reduces your footprint in any given system.

Use a VPN on shared or public networks. A VPN encrypts your internet traffic, which is particularly valuable when accessing sensitive academic portals from school networks, cafes, or other shared connections. It cannot prevent server-side misconfigurations, but it protects the data you transmit from interception in transit.

Stay informed about your rights. India's Digital Personal Data Protection Act establishes frameworks for how personal data should be handled. Knowing what rights you have, and how to file complaints, puts pressure on institutions to take their obligations seriously.

What This Means For You

The CBSE student data breach AWS incident is a reminder that privacy is not a guarantee any institution can make on your behalf. When two million students' answer sheets can be left in a public cloud bucket by a vendor hired to protect them, the gap between institutional assurances and institutional practice is impossible to ignore.

Personal privacy tools, including VPNs, encrypted communications, and breach monitoring services, are a first line of defense when the institutions you depend on cannot be trusted to secure the data they hold. They do not replace accountability, but they give individuals meaningful agency in a system that often treats user data as an afterthought.

The students affected by this exposure deserve a full, transparent investigation, clear answers about what was accessed, and enforceable standards that prevent the next contractor from making the same mistake. Until those standards exist and are enforced, protecting your own data wherever you have the ability to do so is not paranoia. It is prudence.