CBSE OnMark Data Breach — DPDP Act & CERT-In
Relevance: GS Paper II — Governance; GS Paper III — Cybersecurity & Data Protection
Source: CBSE / Ministry of Electronics and IT, 2026
1 · Context
A 19-year-old ethical hacker exposed major security failures in the Central Board of Secondary Education (CBSE)’s ‘OnMark’ platform, used to evaluate Class 12 answer sheets. The breach exposed 9.3 million sensitive student records stored on unsecured foreign cloud servers — without student or parental consent.
2 · The chain of failures
ONMARK BREACH · FOUR VIOLATIONS IN SEQUENCE
| 1. Unsecured cloud storage
Class 12 answer sheets stored on public Amazon Web Services (AWS) buckets — no password, no authentication. |
| VIOLATES
DPDP Act, 2023 — duty of ‘reasonable security safeguards’. |
↓
| 2. Cross-border data flow
Indian student data routed to United States-based servers via public cloud. |
| VIOLATES
Principle of data localisation for sensitive citizen data. |
↓
| 3. AI processing without consent
Vendor used external generative AI models on examination data — no consent. |
| VIOLATES
DPDP Act, 2023 — informed-consent requirement. |
↓
| 4. Delayed disclosure
Vulnerability filed in February 2026; action only after public exposure. |
| VIOLATES
CERT-In rule — incidents must be reported within 6 hours. |
3 · Two roles under the DPDP Act, 2023
- Data Fiduciary — the entity that decides why and how personal data is processed. Here: CBSE — directly liable.
- Data Processor — the entity that processes data on behalf of the Fiduciary. Here: the technology vendor running OnMark.
- Penalty: a Data Fiduciary that fails to prevent a breach can be fined up to ₹250 crore.
4 · Other key institutions and principles
- CERT-In (Indian Computer Emergency Response Team): India’s nodal cyber-incident response agency. Set up under Section 70B of the Information Technology Act, 2000; functions under the Ministry of Electronics and Information Technology. Mandatory 6-hour reporting window.
- Data localisation: sensitive citizen data — financial, health, biometric, educational — must be stored on servers within Indian territory to protect data sovereignty.
VALUE BOX · QUICK REVISION
|
MCQ · PRELIMS PRACTICE
Consider the following statements regarding India’s data protection framework and CERT-In:
- Under the Digital Personal Data Protection Act, 2023, a ‘Data Fiduciary’ is the entity that processes personal data on behalf of another organisation, while a ‘Data Processor’ decides the purpose and manner of data processing.
- CERT-In, established under Section 70B of the Information Technology Act, 2000, functions under the Ministry of Electronics and Information Technology and mandates reporting of cyber incidents within 6 hours of identification.
- A Data Fiduciary that fails to prevent a personal data breach under the Digital Personal Data Protection Act, 2023 can be fined up to ₹250 crore.
Which of the statements given above are correct?
| (a) 1 and 2 only | (b) 2 and 3 only |
| (c) 1 and 3 only | (d) 1, 2 and 3 |
| Answer: (b) 2 and 3 only
Statement 1 — Incorrect (the trap). The two definitions are reversed. Under the DPDP Act, 2023, a Data Fiduciary decides the purpose and manner of data processing (here, CBSE). A Data Processor processes data on behalf of the Fiduciary (here, the OnMark vendor). UPSC often swaps these definitions to test careful reading. Statement 2 — Correct. CERT-In was established under Section 70B of the IT Act, 2000, functions under the Ministry of Electronics and Information Technology, and enforces a mandatory 6-hour reporting window. Statement 3 — Correct. The DPDP Act, 2023 allows a penalty of up to ₹250 crore on a Data Fiduciary that fails to take reasonable security safeguards. |
Share This Story, Choose Your Platform!
Start Yours at Ajmal IAS – with Mentorship StrategyDisciplineClarityResults that Drives Success
Your dream deserves this moment — begin it here.
