who-owns-coempt-eduteck-cbse-evaluation-row
By The Squirrels·
For most of the past month, the conversation around CBSE's botched digital evaluation has been about everything except the company that built it. Wrong answer sheets. Broken portals. Demands for inquiries. IIT cybersecurity experts dispatched to clean up the wreckage. Through it all, one name kept appearing in the margins of the story without quite breaking into the headlines: Coempt EduTeck Private Limited.
That has now changed.
The same company, under a different name
Coempt EduTeck is not a new player. Until its recent rebrand, the firm was known as Globarena Technologies — the technology partner of the Telangana State Board of Intermediate Education in 2019, the year roughly 3.8 lakh students received wrong or misleading marks and, in the aftermath, at least twenty-three students died by suicide.
A government-appointed expert committee found "systemic failures, procedural collapse, and glaring negligence" on the part of both the board and the company. Globarena, it noted, had been operating without a properly signed contract and with no standard operating procedures in place. The company had previously been rejected by the Andhra Pradesh government before Telangana picked it up.
It was never blacklisted. It changed its name.
Coempt EduTeck today operates from Hyderabad under director and CEO V S N Raju, who has publicly maintained that there was no breach on Coempt's platform. The firm currently holds digital evaluation contracts across Andhra Pradesh, Telangana, Tamil Nadu and Gujarat. In December 2025, CBSE handed it the largest contract of its kind in the country.
How the contract was won
The CBSE tender Coempt secured had gone through two failed rounds. It was on the third attempt — after the rules had been quietly revised through a series of corrigenda (formal last-minute amendments to a tender) — that the firm finally cleared.
The forensic work here has been done by Sarthak Sidhant, a 17-year-old Class 12 student, who read through hundreds of pages of CBSE's tender documents and published a detailed analysis. The pattern was striking.
The old rules required bidders to own the source code (the underlying programming) of their software; the new rules dropped that. Local server deployment was no longer required. The scoring matrix that had awarded twenty marks to bidders owning their own Tier-3 data centres (high-reliability data facilities) was rewritten so that owning servers no longer mattered. Physical server isolation was removed. And — most consequentially — the word "blacklisting" was erased from the penalty matrix through a corrigendum issued just before bidding closed.
The penalty structure itself was also restructured. Where the earlier draft fined vendors for wrong scanning, merged pages and unscanned books, the revised version replaced these with a flat fine of ₹50,000 per day for delays. Volume, in effect, was being prioritised over accuracy.
In the final round, Coempt and Tata Consultancy Services both held the relevant CMMI Level 5 certification (a top-tier software-engineering quality benchmark). TCS quoted around ₹65 per answer sheet. Coempt quoted ₹24.75.
Then the portal went live
By the time CBSE's OnMark portal went into production for the 2026 examination cycle, the consequences of those quiet rule changes were already showing up in code.
Nineteen-year-old ethical hacker Nisarga Adhikary demonstrated that the portal's access controls were broken. Its OTP-based authentication (the one-time-password system used to verify users at login) could be bypassed. Examiners could be impersonated. Marks could, in principle, be altered. A "master password" string was sitting directly inside the portal's publicly accessible JavaScript files (code that loads in the user's browser and is visible to anyone who looks for it). Not a hash, not an obfuscated token (cryptographic scrambling that protects the original password from being read) — the literal password.
Working separately, Sidhant later logged into another OnMark-linked subdomain using credentials Adhikary had shared. The password was 123456. The account, he wrote, granted super-administrator access.
The most damaging disclosure came on May 31, when Adhikary demonstrated that the Amazon Web Services storage bucket (a cloud storage container) holding scanned answer sheets and question papers from the 2026 cycle had been configured so loosely that its directory could be enumerated without authentication. In plain language: anybody on the open internet with basic technical skills could browse the folder and download answer scripts. Adhikary called the configuration "insanely insecure."
He said he had first reported his findings privately to CERT-In (the national cybersecurity response agency) and waited months for a response. When none came, he made the vulnerabilities public.
Link To Nisarga Adhikary's Full Analysis: Exposing Critical Vulnerabilities in CBSE’s On-Screen Marking Portal: From Authentication Bypass to Full Account Takeover
The board's response
CBSE's first instinct was denial. The board insisted that the URL Adhikary had probed belonged to a "testing portal" containing sample data, not the production system used for evaluating real answer books. Within days, that line was untenable. CBSE acknowledged the vulnerabilities, said they had been "contained," and announced that cybersecurity experts from government agencies, IIT Madras and IIT Kanpur had been deployed to harden the system.
The board has indicated it will penalise Coempt under existing penalty provisions. There is, however, a notable absence in what it can do — the contract, as Sidhant's analysis had shown weeks earlier, contains no blacklisting provision. The board has signalled that, from next year, scanned answer scripts may move on to DigiLocker (the government's official digital document repository) for greater transparency.
What CBSE has not addressed is the prior question. How was a vendor with this specific track record placed at the heart of a national examination system in the first place? How were the tender rules adjusted, in successive corrigenda, until a CMMI Level 5 firm could be edged out on price by a company quoting roughly a third less?
Congress leader Rahul Gandhi has demanded a Special Investigation Team and an independent judicial inquiry into exactly these questions, linking Coempt to the 2019 Telangana suicides. The board has not, so far, responded.
What this exposes
Strip away the cybersecurity vocabulary and what is left is a procurement story.
India's largest school board outsourced the integrity of its examinations to a private vendor whose name had recently been changed, whose previous failure was a matter of public record, and whose price was the lowest in the room. The board then rewrote its own tender to remove exactly the safeguards — source-code control, server isolation, blacklisting — that might have caught a problem of this kind in advance.
That is not a software bug. It is a procurement architecture that has stopped working.