CyberX9 has reported that a vulnerability at CDSL’s KYC registering wing has exposed the personal and financial data of 4.39 crores Indian investors twice in 10 days. The cyber security consultancy startup had reported the data breach to CDSL on 19 October, but the SEBI-registered depository took around a week to fix it.
According to Himanshu Pathak, the consultancy’s founder and managing director, the vulnerability was fixed and could no longer be used to access investors’ data. However, on 29 October, CyberX9’s researchers found an alternate bypass for the fix implemented by CDSL.
Let’s dive into the details of this data breach.
About CDSL Ventures Limited
CDSL Ventures (CVL) is Central Depository Services (India) Limited’s (CDSL) fully owned subsidiary. This KYC registering agency is separately registered from CDSL with SEBI. It stores and safeguards information of investors and provide fully digitised KYC services.
CCA (Controller of Certifying Authorities) has enlisted CVL as an ESP (e-Sign Service Provider) to provide e-sign services to application service providers via online Aadhaar eKYC.
The company’s e-sign services can be integrated with various applications allowing the digital signing of documents. This allows companies to save time, streamline processes and reduce costs while providing convenience and security to citizens.
CVL also provides eKYC services based on Aadhaar as it is registered with UIDAI as KUA/AUA. Coupled with e-sign services, this service facilitates intermediaries to provide online account opening for their customers. CVL has also developed the OLAO (OnLine Account Opening) software to let companies perform online KYC, open Demat and brokering accounts etc.
CDSL is currently the largest depository system in India, with the only other depository being NSDL (National Depository Limited). As of 8 July 2021, the depository hit a significant milestone of opening 4 crores active Demat accounts. It opened 1 crore Demat accounts in five months, having achieved the 3-crores mark in February 2021.
First Report of the Data Breach
On 19 October, a team of cyber security researchers at CyberX9 discovered a critical data security issue. According to them, this could have given hackers unauthorised access to sensitive personal and financial data of over 4.39 crore investors.
The researchers discovered an authorisation vulnerability in a specific API (Application Programme Interface), which allowed malicious attackers to retrieve all investors who obtained KYC since 2005.
The personal and financial data potentially leaked included data points like – name, address, PAN number, annual income, Demat account number etc. All of this information was accessible to any malicious actor until 25 October.
This could have enabled them to launch customised attacks and commit financial fraud, impersonation, identity theft, extortion etc. Hackers could use the stolen data to disrupt the stock market via misinformation campaigns on a larger scale.
On discovering the data breach, CyberX9 flagged it to MEITY’s CERT-In and NTRO’s NCIIPC. The company also highlighted the extremely negative impact of this exploit and requested the national nodal agency to immediately resolve the issue. On 20 October, CERT-In asked for ‘relevant screenshots’ and registered the complaint about ‘appropriated action’.
CVL’s Second Data Breach
Following CyberX9’s complaint, CDSL announced that they took immediate action to mitigate the vulnerability. However, CyberX9 claims that CSDL and CVL took 7 days to fix it. After this, the cyber security company verified the fix and confirmed that it was no longer exploitable.
On 29 October, CyberX9’s research team found out an easy and complete bypass for the fix implemented by CSDL.
The company has said for the second time, the vulnerability was not too complex. As such, there is a real threat that malicious attackers may have already stolen the data. According to CyberX9, the government needs to conduct a fair security audit of CSDL.
CVL has announced that it mitigated the vulnerability as soon as possible. It also said that it worked proactively to address any other potential security issues. According to a source close to CVL, the depository fixed the problem soon, leading to no data breaches.
What Does This Mean for Investors?
According to the Chandigarh-based cyber security firm, the data breach exposed 19 data types of each investor. Some of these are:
- The individual’s full name
- PAN number
- Marital status
- Father/spouse’s name
- Date of birth
- Residential and permanent address
- Contact information
- Occupation details
- Annual income tax
- Net worth
- Demat account number
- Broker name
- CSDL client ID
According to CyberX9, this information leak could be a gold mine for phishers and scammers who impersonate financial institutions to trick individuals and companies. Moreover, fraudsters would have a constant supply of new investors who applied for KYC. These malicious attackers could easily scam individuals and companies into transferring funds into their accounts.
Frequently Asked Questions
- What does CyberX9 do?
CyberX9 is a Chandigarh-based cyber security startup having 15 senior cyber security experts around the world. It has worked for Fortune 500 companies, law enforcement agencies, and high-net-worth individuals.
- What is an API?
An Application Programming Interface is a type of software that works for two applications and sends/receives data between them.
- How did an API vulnerability of CVL expose investors’ sensitive data?
CVL’s API was used to send/receive data from the computer servers of CSDL. A vulnerability allowed anyone with enough technical knowledge to bypass the proper authorisation system to gain access to sensitive personal and financial data.