Oct 29, 2021 08:35 UTC
Oct 29, 2021 at 08:36 UTC
Data breach at India’s biggest Demat Depository CDSL
A team of cybersecurity named CyberX9 have found a data breach in the servers of the Central Depository Services Limited (CDSL) that maintains demat accounts of crores of investors.
According to CyberX9, the breach in the CDSL system exposed sensitive personal and financial data of an estimated 4.39 crore investors on whom CDSL has performed a Know Your Customer/Client (KYC) operation since 2005.
The CyberX9’s founder and managing director, Himanshu Pathak, called the data ‘exposed’ in the CDSL vulnerability a ‘virtual gold mine’ for phishers, scammers, and for ‘malicious attackers looking to spread misinformation to manipulate Indian share markets’.
It was found that data was breached because of a vulnerability at a CDSL subsidiary, CDSL Ventures Limited (CVL).
Himanshu Pathak said that the data was exposed because of a vulnerability in an Application Programming Interface (API) used by the CVL.
An API is a piece of software that sits between two computer applications. The two computer applications will use the API to send and receive data from each other.
CVL is a service set up to perform investor identity verification via KYC processes.
CVL, according to Pathak, is “exposing all KYC data of anyone who has gone through the CDSL KYC process”.
An API used by CVL to communicate and receive data from the main CDSL computer server has a vulnerability allowing anyone with enough technical know-how to use that API to bypass the need for proper authorisation to access sensitive investor data.
Although CDSL in a statement has contended that there had been no breach in the system, only vulnerability was found and has been sorted out.
The CDSL, a government-registered share depository, manages all investor accounts trading on the Bombay Stock Exchange. It is one of only two depository systems in the country handling crores of investor accounts, with the other being the National Securities Depository Limited (NSDL).