According to cyber security consultancy company CyberX9, a vulnerability at a CDSL subsidiary, CDSL Ventures Limited (CVL), exposed personal and financial data of over 4 crore Indian investors twice in ten days. CDSL Ventures Ltd is a KYC registering agency independently registered with the Securities and Exchange Board of India (SEBI), and Central Depository Services (India) Limited (CDSL) is a SEBI registered depository.
CVL has taken swift action, according to CDSL, and the vulnerability has now been mitigated. According to CyberX9, the vulnerability was disclosed to CDSL on October 19, and the securities depository took roughly 7 days to address it, despite the fact that it could have been fixed instantly.
The vulnerability, according to CyberX9, a Chandigarh-based consultancy firm, was not very difficult, and it was detected for the second time by the firm. “CDSL was exposing extremely sensitive personal and financial data of about 43.9 million ( about 4.39 crore) investors in India. The data being exposed belonged to those who did their market securities KYC. In India, you have to go through a KYC process for investing in securities like stocks, mutual funds, bonds,” it said.
The information exposed by CDSL, according to the Chandigarh-based cyber security start-up, could be a virtual gold mine for phishers and scammers engaged in the so-called business of e-mail compromise, who frequently impersonate brokers, banks, and businesses in an attempt to dupe individuals and businesses into transferring funds to fraudsters.
“We verified the fix before publication and it was no longer exploitable. Later, on October 29th, our research team got to work again and within a couple of minutes they found an easy and complete bypass for the fix that CDSL implemented to patch the earlier reported vulnerability. CERT-In and NCIIPC also accepted our vulnerability report,” CyberX9 said on its blog. According to CyberX9, the exposed data includes the investor's name, phone number, email address, PAN, salary range, father's name, and date of birth.
Phishers and scammers would have an unending supply of compelling scamming templates for calls and emails if they had access to CDSL KYC data. According to CyberX9, a database like this would provide fraudsters with a constant stream of new investors undergoing KYC, allowing them to target them. Financial fraud, identity theft, and exposing people to things like extortion, targeted assaults on people, and so on can all result from sensitive personal and financial data being exposed to large groups of people.