SUMMARY
The exposed data includes sensitive personal details of investors including their complete addresses
It also included financial details such as the annual income tax return filed, income estimates, net worth, demat account number and more
This is the second instance of vulnerability in CDSL databases reported within the last month
In yet another glaring cybersecurity issue that has raised alarms in the tech world, CDSL Ventures (CVL), a subsidiary of stock broking accounts provider CDSL or Central Depository Services Ltd, was found to be storing personal and financial data related to 4.39 Cr investors in India in an unsecured manner.
This is the second instance of vulnerability in CDSL databases reported within the last month. Both were reported to the company by Chandigarh-based cybersecurity startup CyberX9, and have now been fixed after an audit, as per CVL.
It must be noted that while data was exposed, it is not clear whether it was accessed by unauthorised parties. CVL is involved in KYC-related work for CDSL, which manages demat or stock broking accounts for millions of stock market investors in India. While India also has the National Securities Depository Limited (NSDL), CDSL is by far the largest player with 70% market share.
The exposed data is said to include sensitive personal details of investors including their full name, PAN details, gender, marital status, father/spouse’s full name, complete date of birth, nationality, all addresses, contact numbers, email IDs, occupation details and more.
More worryingly, it also included some financial details such as the annual income tax return filed, income estimates, net worth, demat account number, broker name, and CDSL client ID, which is used by stock broking firms. The data is said to date back to around 2005.
“CVL had received a vulnerability alert on the website of CVL which has since been mitigated. We would like to state that CVL took immediate actions to mitigate the vulnerability and have worked proactively to further address any other potential security issues,” CDSL said in press statements, according to news reports.
CyberX9, which reported both vulnerabilities, said the exposed data, “could be a virtual gold mine also for phishers and scammers,” and claimed it was able to find the loopholes very easily, indicating unauthorised parties would have been able to access it without using too many resources.
However, CDSL has responded that no unauthorised access is evident in this case. CVL is one of the largest cybersecurity vulnerabilities, and once again highlights how digital security practices can have an impact on the financial wellbeing of an individual or business.
Earlier this year, IPO-bound fintech company MobiKwik was at the centre of a massive data leak, which exposed the data of over 11 Cr users including merchants who had been using MobiKwik’s services. While MobiKwik has denied that there was any breach, the RBI is conducting an inquiry into this matter even as the company pushes for a public listing.
Besides this, Pine Labs was also caught in a potential data leak earlier this year, when 50,000 unique records from its user base were exposed, while sensitive personal data of users related to over 18 Cr orders from pizza chain Domino’s India appeared on the dark web in May.
