CDSL breach: 44 mn investors' data exposed, including PAN, Demat details

A vulnerability in a Central Depository Services (India) Limited (CDSL) subsidiary, CDSL Ventures Limited (CVL) has left the personal and financial details of over 43 million investors in India exposed online. What's disconcerting is the fact this data was exposed twice in a span of 10 days. The cybersecurity team first reported the matter to CERT-In and NCIIPC on October 19. It took the organisation almost a week to fix the vulnerability. CyberX9 said that the issue could have been fixed in two hours. This breach will impact investors as they will likely become the target of phishing attacks in which hackers impersonate brokers, banks and companies to dupe them of their money. It could also lead to income tax refund scams and even extortion.

Cybersecurity firm CyberX9's research team discovered a critical security vulnerability in CDSL's KYC wing in early October 2021. As per their research, CVL was exposing extremely sensitive personal and financial data of 43.9 million investors in India. ‘The data of people being exposed was of those who did their market securities KYC,' the cybersecurity firm report SAID adding that the discovered issue was an authorisation vulnerability in a public CDSL's KYC API, leading to exposing the massive amount of sensitive data on the internet.

Then on October 29, the cybersecurity team found a complete bypass for the fix that CDSL implemented to patch the earlier reported vulnerability. “Both times data of people being exposed was of those who did their market securities KYC...Similar to last time, the discovered issue was an authorisation vulnerability in a public CDSL's KYC API, leading to exposing the massive amount of sensitive data to the whole internet,” CyberX9 reported.

The data that the security vulnerability left exposed included personal information such as full name, complete PAN No, gender, marital status, father/spouse's full name, date of birth, nationality, complete residential address, complete permanent address, contact number(s), email address, occupation details. It also included sensitive financial information including the amount of annual income tax return filed, net worth (along with the date on which it was updated), Demat account number, broker name, and CDSL Client ID.

Impact on investors

The cybersecurity team says that this information exposed by CDSL could be a virtual gold mine also for phishing and will lead to Business Email Compromise (BEC) scams, wherein hackers impersonate brokers, banks, and businesses in a bid to trick individuals and companies into transferring funds to fraudsters. It could also lead to income tax refund scams and extortion calls.