New Delhi: A flaw in a Central Depository Services (India) Limited (CDSL) subsidiary, CDSL Ventures Limited (CVL), exposed the personal and financial information of over 43 million Indian investors online. What’s troubling is that this data was exposed twice in a 10-day period. On October 19, the cybersecurity team notified CERT-In and NCIIPC about the incident. It took nearly a week for the organisation to patch the issue.
According to CyberX9, the problem could have been resolved in two hours. This breach will have an impact on investors since they will almost certainly become the target of phishing attacks in which hackers impersonate brokers, banks, and corporations in order to defraud them of their money.
In early October 2021, the research team at CyberX9 uncovered a serious security weakness in CDSL’s KYC wing. According to their findings, CVL was revealing extremely sensitive personal and financial data of 43.9 million Indian investors.
‘The people whose data was exposed were those who did their market securities KYC,’ according to the cybersecurity firm SAID, which also stated that the discovered issue was an authorisation vulnerability in a public CDSL’s KYC API, which resulted in a massive amount of sensitive data being exposed on the internet.
The cybersecurity team discovered a comprehensive bypass for the remedy that CDSL implemented to repair the previously reported issue on October 29. “Both times data of people being exposed was of those who did their market securities KYC…Similar to last time, the discovered issue was an authorisation vulnerability in a public CDSL’s KYC API, leading to exposing the massive amount of sensitive data to the whole internet,” CyberX9 reported.
Personal information such as full name, entire PAN No, gender, marital status, father/full spouse’s name, date of birth, nationality, complete residential address, complete permanent address, contact number(s), email address, and occupation details were among the data exposed by the security flaw.
It also contained sensitive financial data such as the amount of an annual income tax return submitted, net worth (together with the date it was updated), Demat account number, broker name, and CDSL Client ID.
According to the cybersecurity team, the information disclosed by CDSL could be a virtual gold mine for phishing and will lead to Business Email Compromise (BEC) scams, in which hackers act as brokers, banks, and enterprises in order to dupe individuals and corporations into sending money to fraudsters. It could also lead to extortion calls and tax refund scams.