CDSL breach: 44 mn investors' data exposed, including PAN, Demat details | Tech News

CDSL breach: 44 mn investors' data exposed, including PAN, Demat details

Phishing attacks are feared after CDSL breach exposed details like PAN number, address, contact number, email, amount of annual income tax return filed, Demat account and more

By: HT TECH
| Updated on: Nov 08 2021, 14:28 IST
A vulnerability in a Central Depository Services (India) Limited (CDSL) subsidiary, CDSL Ventures Limited (CVL) has left the personal and financial details of over 43 million investors in India exposed online.
A vulnerability in a Central Depository Services (India) Limited (CDSL) subsidiary, CDSL Ventures Limited (CVL) has left the personal and financial details of over 43 million investors in India exposed online. (Pixabay)

A vulnerability in a Central Depository Services (India) Limited (CDSL) subsidiary, CDSL Ventures Limited (CVL) has left the personal and financial details of over 43 million investors in India exposed online. What's disconcerting is the fact this data was exposed twice in a span of 10 days. The cybersecurity team first reported the matter to CERT-In and NCIIPC on October 19. It took the organisation almost a week to fix the vulnerability. CyberX9 said that the issue could have been fixed in two hours. This breach will impact investors as they will likely become the target of phishing attacks in which hackers impersonate brokers, banks and companies to dupe them of their money. It could also lead to income tax refund scams and even extortion.

Cybersecurity firm CyberX9's research team discovered a critical security vulnerability in CDSL's KYC wing in early October 2021. As per their research, CVL was exposing extremely sensitive personal and financial data of 43.9 million investors in India. ‘The data of people being exposed was of those who did their market securities KYC,' the cybersecurity firm report SAID adding that the discovered issue was an authorisation vulnerability in a public CDSL's KYC API, leading to exposing the massive amount of sensitive data on the internet.

You may be interested in

MobilesTablets Laptops
7% OFF
Apple iPhone 15 Pro Max
  • Black Titanium
  • 8 GB RAM
  • 256 GB Storage
28% OFF
Samsung Galaxy S23 Ultra 5G
  • Green
  • 12 GB RAM
  • 256 GB Storage
Google Pixel 8 Pro
  • Obsidian
  • 12 GB RAM
  • 128 GB Storage
Apple iPhone 15 Plus
  • Black
  • 6 GB RAM
  • 128 GB Storage

Then on October 29, the cybersecurity team found a complete bypass for the fix that CDSL implemented to patch the earlier reported vulnerability. “Both times data of people being exposed was of those who did their market securities KYC...Similar to last time, the discovered issue was an authorisation vulnerability in a public CDSL's KYC API, leading to exposing the massive amount of sensitive data to the whole internet,” CyberX9 reported.

Also read
Looking for a smartphone? To check mobile finder click here.

The data that the security vulnerability left exposed included personal information such as full name, complete PAN No, gender, marital status, father/spouse's full name, date of birth, nationality, complete residential address, complete permanent address, contact number(s), email address, occupation details. It also included sensitive financial information including the amount of annual income tax return filed, net worth (along with the date on which it was updated), Demat account number, broker name, and CDSL Client ID.

Impact on investors

The cybersecurity team says that this information exposed by CDSL could be a virtual gold mine also for phishing and will lead to Business Email Compromise (BEC) scams, wherein hackers impersonate brokers, banks, and businesses in a bid to trick individuals and companies into transferring funds to fraudsters. It could also lead to income tax refund scams and extortion calls.

Catch all the Latest Tech News, Mobile News, Laptop News, Gaming news, Wearables News , How To News, also keep up with us on Whatsapp channel,Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.

First Published Date: 08 Nov, 14:28 IST
Tags:
NEXT ARTICLE BEGINS