COEMPT Quality Assurance Engineers Allegedly Violated Indian CBSE Student Data Privacy Rights by Processing It with Google Gemini

In February 2026, 19-year-old ethical hacker Nisarga Adhikary discovered and reported security vulnerabilities in the Central Board of Secondary Education's (CBSE) OnMark digital evaluation platform operated by technology vendor COEMPT Eduteck. After initially reporting the issues on February 25, 2026, Adhikary found that while CBSE took the portal down within 3-4 days, six to seven vulnerabilities remained active and exploitable. On May 30, 2026, Adhikary successfully hacked into the CBSE's Principals dashboard, accessing 9.3 million columns and rows of sensitive student data including images of answer sheets that were unprotected and could be tampered with. The hacker revealed that COEMPT Eduteck had stored 2026 answer sheets and question papers in Amazon Web Services buckets without authentication, and that sensitive student data including personal information was being processed by Google's Gemini AI in automation scripts without student consent. Following public disclosure of these vulnerabilities, CBSE acknowledged the issues on May 31, 2026, stating the vulnerabilities had been contained and that cybersecurity experts from government agencies and Indian Institutes of Technology had been deployed to fortify the systems.