A vulnerability at a subsidiary of CDSL, CDSL Ventures Limited (CVL), exposed the financial and personal information of over 4 crore Indian investors twice within a 10 day period, according to CyberX9.
Central Depository Services (India) Limited (CDSL) is a SEBI-registered depository, and CDSL Ventures Ltd is a KYC registrar separately registered with the Securities and Exchange Board of India (SEBI).
CDSL reported that CVL had taken immediate action and the vulnerability had been mitigated.
CyberX9 reported the vulnerability to CDSL on October 19, and the securities depository took around seven days to fix it. An immediate resolution could have been achieved.
“We verified the fix before publication and it was no longer exploitable. On October 29th, our research team got back to work and found an easy and complete bypass for the fix that CDSL had implemented to patch the earlier reported vulnerability.
“CERT-In and NCIIPC have accepted our vulnerability report for CDSL,” CyberX9 Founder and Managing Director Himanshu Pathak told PTI.
CyberX9 said that the exposed data includes an investor’s name, phone number, email address, PAN, income range, father’s name, date of birth, etc.
According to CDSL, there have been no security issues or data vulnerabilities at CDSL.
CDSL noted that CVL had received a vulnerability alert on its website, which has since been mitigated. “CVL has taken immediate actions to mitigate the vulnerability and is working proactively to address any other potential security issues,” CDSL said.
Both CDSL and CVL, as separate regulated entities with SEBI, have a clear arm’s length relationship, according to CDSL.
When CyberX9 found the vulnerability a second time, it was not highly complex.
“CyberX9 strongly suspects that CDSL data has already been stolen by malicious attackers. A security audit of CDSL is needed by the government,” the blog said.
The Chandigarh-based cyber security startup said the information exposed by CDSL could be a goldmine for scammers involved in business of email compromise by impersonating companies, banks, and brokers to trick individuals and companies into transferring money to fraudsters.
“With access to CDSL KYC data, phishers and scammers would have an endless supply of compelling scamming templates for calls and emails. This would also give fraudsters a constant feed of investors getting KYC to use,” CyberX9 said.
Mass exposure of sensitive personal and financial data can lead to things like financial fraud, identity theft, and extortion, targeted attacks against people, etc.