NEW DELHI: Over 4 crore Indian investors’ personal and financial data was exposed twice in ten days due to a vulnerability at a CDSL subsidiary, CDSL Ventures Limited (CVL) , according to cyber security consultancy startup CyberX9.
CDSL Ventures Ltd is a KYC registering agency independently registered with the Securities and Exchange Board of India, and Central Depository Services (India) Limited (CDSL) is a SEBI registered depository (SEBI).
CVL has taken swift action, according to CDSL, and the vulnerability has now been mitigated.
According to CyberX9, the vulnerability was disclosed to CDSL on October 19, and the securities depository took roughly 7 days to address it, despite the fact that it could have been fixed instantly.
“Before publishing the fix, we double-checked that it was no longer exploitable. On October 29th, our research team went back to work and discovered an easy and full bypass for the workaround that CDSL implemented to patch the previously reported vulnerability in just a few minutes,” said CyberX9 Founder and Managing Director Himanshu Pathak.
Pathak added that their vulnerability report for CDSL was also accepted by CERT-In and NCIIPC.
According to CyberX9’s blog, the exposed data includes an investor’s name, phone number, email address, PAN, income range, father’s name, date of birth, and so on.
When contacted, CDSL stated that no security breach or data vulnerability had occurred.
“CVL got a security alert on its website, which was quickly addressed. We’d like to emphasise that CVL acted quickly to resolve the vulnerability and has been diligent in addressing any other possible security vulnerabilities “According to CDSL.
CDSL and CVL are independent regulated entities with SEBI and have a clear arm’s length relationship, according to CDSL.
The vulnerability was not very hard the second time CyberX9 detected it, according to the company.
“We have a strong suspicion that malevolent attackers have already grabbed the data. The government should conduct an impartial security audit of CDSL “According to the CyberX9 blog.
The information exposed by CDSL, according to the Chandigarh-based cyber security startup, could be a virtual gold mine for phishers and scammers engaged in the so-called business of e-mail compromise, who frequently impersonate brokers, banks, and businesses in an attempt to dupe individuals and businesses into transferring funds to fraudsters.
Financial fraud, identity theft, and exposing people to things like extortion, targeted assaults on people, and so on can all result from sensitive personal and financial data being exposed to large groups of people.
Follow The420.in on