A vulnerability in CDSL Ventures Limited, a subsidiary of Central Depository Services, has exposed the personal and financial data of over 43.9 million Indian investors online. This data was exposed twice in a span of just 10 days.
A team of cybersecurity experts reported this vulnerability to CERT-In and NCIIPC on October 19. The organization took a week to fix the vulnerability.
Researchers at CyberX9 found a security vulnerability in CDSL’s KYC and reported it. After CDSL developers fixed the issue, researchers again discovered a comprehensive bypass for their solution and managed to get access to data. The data includes personal information such as full name, PAN No, gender, marital status, father/full spouse’s name, date of birth, nationality, residential address, permanent address, contact number, email address, and occupation. Financial data includes annual income tax return date, net worth, Demat account number, broker name, and CDSL Client ID.
“Both times data of people being exposed was of those who did their market securities KYC…Similar to last time, the discovered issue was an authorization vulnerability in a public CDSL’s KYC API, leading to exposing the massive amount of sensitive data to the whole internet,” CyberX9 reported.
Researchers claim that the vulnerability wasn’t highly complex to discover. That means the case was sheer negligence by CDSL. CDSL also took a week to fix the vulnerability that shouldn’t take more than 2 hours. Unlike most companies, CDSL doesn’t even have a way to contact their security team to responsibly report security vulnerabilities.
The exposed data can be used to perform phishing attacks on investors. Hackers can impersonate brokers, banks, and companies to dupe them. There could also be income tax refund scams and extortion calls.
