Claude AI exploited to breach CBSE portal, exposing critical cybersecurity vulnerabilities

Claude, other AI tools used to breach CBSE portals: IIT Panel

AI tools like Claude were used to find vulnerabilities in CBSE's on-screen marking portal, revealing the vendor's inadequate security knowledge. Following this, data was moved to a government-controlled AWS segment. A high-level panel addressed these issues and also secured the JEE Advanced portal amid concerns of data breaches. New Delhi: The high-level panel of top experts from IIT Kanpur and Madras deployed to secure the CBSE and its on-screen marking (OSM) portals has found that powerful artificial intelligence tools, mainly Claude, were used to detect vulnerabilities and gain access, ET has learnt. The panel also found that the CBSE-OSM vendor, Coempt Edutech, did not have adequate capability or conceptual knowledge on portal security mechanisms. Accordingly, backed with strong support from the Ministry of Electronics and Information Technology (MeitY), the CBSE-OSM data was shifted from the private vendor to a government-managed and controlled segment of Amazon Web Services (India). The panel, which has now been deployed for a week, has played a crucial role in ensuring that the CBSE verification and re-evaluation portal went live, even though a day late on June 2. The panel also completed a security analysis of the JEE Advanced portal, Joint Seat Allocation Authority, on Wednesday, addressing vulnerabilities and clearing it, ET has gathered. Copies of admit cards linked to JEE Advanced had emerged on social media earlier this week, raising concerns over data breach. Meanwhile, MeitY and the Indian Computer Emergency Response Team (CERT-In) moved into the picture in a big way. The expert panel has asked CERT-In to conduct a security audit of the CBSE portal while MEITY is coordinating with NTA and CBSE to check against any further incidents. After the CBSE-vendor row, an advisory is learnt to have been issued to key departments and bodies on ensuring cybersecurity hygiene in digital services procurement and request for proposals from the design stage itself. All organisations are on high alert amid rounds of cyber lapses and with good reason. ET gathers that one of NTA's digital portals was hit by half a million attempts on Sunday - the day CUET was held up by technical glitches and delays, which prevented over 3,700 students from appearing for the exam. A re-test will be held for them on June 6-7 with a strong MeitY support to back up the digital bandwidth even as top IT services firm, Tata Consultancy Services, is handling the exam. CBSE on Tuesday also reported a denial of service (to overwhelm a website/portal) attacks, causing 1.5 million hits on the portal within two minutes and more than 100,000 unauthorised file access. MeitY, however, does not essentially consider the CBSE OSM portal a case of 'cyberattack', but more a case of ethical hackers probing for gaps as soon as the portal was attempting to go live - gaps that were finally addressed, officials indicated. Even though NEET-UG 2026 is a pen-and-paper test and does not require CUET-OSM-like security rings, MeitY is working closely with NTA to support exam security at test centres and monitoring levels, it is gathered. With translators now emerging as a key weak link as per CBI probe, NTA is particularly aiming at minimising human interface and using AI largely to translate the exam paper (offered in 13 languages) to ensure an "air-gapped" system ahead of the test involving over 2.2 million students. Also, NTA is closing down several of its digital assets which may have gone into dormancy or disuse but could offer a gateway to hacking, officials in the know said. A major MeitY focus area for the future - following the CBSE controversy over procurement - is the general lack of "elementary hygiene" in effecting hurried, over-ambitious technology transition targets by government departments, officials said. ET gathers that the advisory that has gone to departments emphasises on exercising caution in procurement processes and the need to fully ascertain capacity/capability of private vendors.

Claude AI reportedly used to breach CBSE evaluation portal: What the report says

CBSE has since faced a 3.8 million-packet denial-of-service attack A high-level expert panel from IIT Kanpur and IIT Madras, deployed to secure the CBSE's On-Screen Marking (OSM) portal, has found that powerful AI tools, reportedly Claude, were used to identify vulnerabilities and gain access to the system. The findings, reported by the Economic Times, reveal that the system was not equipped to withstand the kind of AI-assisted probing that has become increasingly accessible. The panel also found that the OSM vendor, Coempt Edutech, lacked adequate capability and conceptual understanding of portal security. Following the findings and with strong backing from the Ministry of Electronics and Information Technology (MeitY), CBSE's OSM data was moved from the private vendor to a government-managed segment of Amazon Web Services India. What happened The OSM system, introduced this year for Class 12 evaluation was meant to allow answer sheets to be scanned and assessed digitally. Almost immediately, students reported serious issues: blurry scans, missing pages and answer sheets that appeared to belong to different students. Upon closer inspection the security problems started surfacing. Nisarga Adhikary, a 19-year-old cybersecurity researcher, publicly claimed he had found significant flaws in the portal months before the controversy exploded, including vulnerabilities that could allow examiner impersonation and password resets. He described it as "one of the easiest hacks of my life," saying it required no programming knowledge. He said he reported the issues to CERT-In and other authorities but received an inadequate response before going public. CBSE responded by saying the site Adhikary referenced was a testing environment containing sample data, not the live evaluation platform. The expert panel, however, was not convened to debate that but to fix the underlying problem and its findings about Claude and other AI tools being used to find entry points go beyond what any particular ethical hacker claims. The broader picture The CBSE fallout is part of a wider pattern of cyber pressure on India's examination infrastructure. One National Testing Agency (NTA) digital portal was hit by approximately 500,000 attempts on the same day, following which the Common University Entrance Test (CUET) was disrupted by technical glitches, preventing over 3,700 students from sitting the exam. CBSE also reported a 3.8 million-packet denial-of-service attack on its portal, which was successfully blocked. The Indian Computer Emergency Response Team (CERT-In) has been asked to conduct a full security audit of the CBSE portal. In the aftermath, CBSE's Chairman Rahul Singh and Secretary Himanshu Gupta have both been replaced, with senior IAS officer Lokhande Prashant Sitaram appointed as the new Chairperson. A single-member inquiry committee has been set up to examine the OSM procurement process. What the dry run had already flagged A troubling aspect of the story is how much was known before the crisis. As per a report by Times Now, during a dry run in January 2026, evaluators flagged a long list of problems with the OSM system, including marks discrepancies, no auto-save feature, a non-functional remarks tool, poor interface design and excessive cognitive load. Evaluators reportedly preferred to mark answer sheets manually rather than use the digital system. Senior CBSE officials told evaluators at the time that OSM would only apply to non-academic subjects. It was eventually deployed across all subjects. MeitY has since issued an advisory to government departments about what it describes as a general lack of "elementary hygiene" in rushed technology transitions, with an emphasis on building security into procurement processes from the design stage rather than retrofitting it.