CBSE Portal Attack Hit 50 Students via HDFC Payment Gateway

Government sources told PTI on May 30, 2026 that the CBSE revaluation portal payment system suffered a malicious attack in which about 50 students gained unauthorised access and manipulated displayed fees, with some seeing amounts swing from roughly Re 1 to nearly Rs 67,000–68,000. Officials linked the window of abuse to the HDFC payment gateway integration when the portal came back online after downtime. HDFC has since been removed, four public-sector bank gateways were tested, and the stack was moved to Amazon Web Services (AWS) with audits led by IIT Madras, IIT Kanpur, and the Digital Infrastructure Corporation of India.

This is India's highest-visibility payment-integrity failure on a national education portal this week, with a direct lesson for anyone building fee, billing, or gov-tech checkout flows.

What happened on the CBSE revaluation portal?

The incident centers on the post-result / answer-sheet access and revaluation workflow for Class XII CBSE students, not the separate On-Screen Marking (OSM) evaluation system that CBSE publicly defended on May 26, 2026 against unrelated hacker claims.

According to government sources quoted across India TV, Times Now, The New Indian Express, and PTI:

• There were unauthorised attacks on the portal during a fragile relaunch period
• About 50 students ("50-odd children") got into the system tied to the HDFC payment gateway
• Those students manipulated what the portal displayed as payable fees
• Officials described motives as "out of fun" or mala fide in some cases

A senior education official told The New Indian Express (May 29) that payment problems during answer-sheet access were caused by "mischief" by roughly 50 students who "hacked into the CBSE portal", producing absurd quotes such as Rs 67,000 for sheet access for some users and Re 1 for others.

What students and parents saw

The user-visible failure mode was not silent data theft alone. It was erratic fee displays at checkout:

Sources said the anomalies affected about 50 student cases where the amount had changed during the vulnerability window.

Separately, officials acknowledged roughly 20 instances where students received wrong scanned answer sheets (another person's copy), against ~11.38 lakh answer-sheet requests overall. That is a data-handling glitch at national scale, distinct from but adjacent to the payment manipulation story.

Why HDFC gateway integration is the named failure point

Government sources consistently traced the payment glitch to HDFC Bank's payment gateway embedded in the CBSE portal when it went live after being non-functional for some time.

Official narrative as of May 30:

1. Portal stability problems persisted ahead of relaunch
2. HDFC gateway sync went live under load
3. ~50 students exploited the window to alter displayed payment amounts
4. Ministry intervened; HDFC removed from the flow
5. PSU bank gateways tested; officials said a test run before May 30 looked stable

The New Indian Express named four PSU integrations tested smoothly: Bank of Baroda, Canara Bank, State Bank of India, and Indian Bank. Other outlets also listed Bank of Maharashtra in the PSU set. Treat the exact four-bank roster as ministry-confirmed at test time, with minor press variance on the fourth name.

Government response: May 24 meeting to May 30 fixes

On May 24, 2026, Union Education Minister Dharmendra Pradhan met Finance Minister Nirmala Sitharaman about payment and technical issues during CBSE's post-result and revaluation processes.

Outcomes described by May 30:

• Four PSU banks to strengthen payment gateway infrastructure and integrate with the post-exam portal
• Expert review by IIT Madras, IIT Kanpur, and Digital Infrastructure Corporation of India examining code and integration
• AWS migration after earlier capacity constraints ("issues of space"); government source: "now the system is on AWS"

That AWS detail matters for developers: the fix path is not only "swap banks" but cloud scale + payment rail hardening under political deadline pressure.

Separate story: OSM marking portal claims (do not conflate)

On May 26, CBSE denied that its production On-Screen Marking (OSM) evaluation portal was compromised, after West Bengal ethical hacker Nisarga Adhikary claimed CERT-In reporting and described severe issues including password leaks and master password in JS on a different URL than production.

The Hindu quoted CBSE saying the evaluation URL "has neither been compromised nor does it have the vulnerabilities indicated."

The May 30 payment attack on the revaluation / answer-sheet portal is what government sources described to PTI on Friday. Readers and SEO should not merge the two into one "CBSE hacked" headline without qualification.

Developer and infrastructure lessons

Never trust client-displayed payment amounts. If ~50 users could make the UI show Re 1 or Rs 68,000, the architecture likely lacked server-side amount signing tied to order IDs, or allowed parameter tampering before redirect to the gateway.

Payment gateway cutover under outage pressure is high risk. Relaunching HDFC after portal downtime without canary traffic and amount integrity checks created a national incident.

Gov-tech needs the same controls as fintech: idempotent orders, HMAC-sealed fee payloads, audit logs per student roll number, and anomaly alerts when quoted amounts exceed policy bounds.

AWS scale does not fix authZ bugs. Moving to AWS solves capacity; it does not replace secure payment orchestration. See how enterprise stacks handle agentic load in Snowflake's $6B AWS commitment as contrast: big cloud spend plus governance, not cloud alone.

Supply-chain week context: This lands beside TrapDoor and ChatGPhish, showing trust failures across npm, AI UI, and now national fee portals.

What students should do now

Officials said payment gateway problems had been resolved after HDFC removal and PSU bank testing. Students should:

• Use only the official CBSE portal URLs publicized by the board
• Screenshot fee pages before paying; report Re 1 or Rs 67,000 displays immediately
• Verify bank debit amounts against SMS/email confirmations, not only on-screen quotes
• Avoid third-party "fix" services claiming to expedite revaluation

Key Takeaways

• May 30, 2026 (PTI/government sources): ~50 students gained unauthorised access to the CBSE revaluation portal payment flow
• Fee displays swung from about Re 1 to Rs 67,000–68,000 for affected cases
• HDFC payment gateway was named as the integration point when the portal relaunched; HDFC later removed
• Fixes: PSU bank gateways (SBI, Canara, Indian Bank, BoB per NIE), IIT Madras/Kanpur audit, portal on AWS
• ~11.38 lakh answer-sheet requests; ~20 wrong-sheet cases reported separately
• For developers: enforce server-signed payment amounts; do not conflate this with the May 26 OSM denial story
• What to watch: formal CBSE written statement, CERT-In advisory, and whether police investigate the ~50 accounts

Frequently asked questions

What happened to the CBSE portal on May 30, 2026?

Government sources told PTI that the CBSE revaluation portal payment system was hit by a malicious attack in which about 50 students gained unauthorised access and manipulated displayed fees, with some seeing Re 1 and others nearly Rs 67,000-68,000.

Did 50 students hack the CBSE website?

Officials described unauthorised access and manipulation by about 50 students tied to the HDFC payment gateway window when the portal went live after downtime. Media and officials used terms including malicious attack, hacking, and mischief; treat legal attribution as pending unless law enforcement confirms.

Was HDFC Bank hacked?

Sources linked the glitch to the HDFC payment gateway integrated with the CBSE portal. HDFC was removed from the process and four public-sector bank gateways were integrated and tested instead.

Is the CBSE marking portal the same system?

No. CBSE separately denied on May 26, 2026 that its production On-Screen Marking evaluation portal was compromised, responding to ethical hacker claims about a different URL. The May 30 story concerns the revaluation and answer-sheet access payment portal.

What fixes did the government announce?

Removal of HDFC from the payment flow, integration and testing of PSU bank gateways, expert review by IIT Madras and IIT Kanpur with Digital Infrastructure Corporation of India, and migration of the portal infrastructure to AWS for capacity.