Data breach at Central Depository Services (India) Limited (CSDL) subsidiary, CDSL Ventures Limited (CVL), has exposed personal and financial data of over 4 crore Indian investors twice in a period of 10 days, according to cybersecurity consultancy start-up CyberX9.
CDSL is a SEBI registered depository and CDSL Ventures Ltd is a KYC registering agency separately registered with the Securities and Exchange Board of India (SEBI).
According to reports, CDSL said that CVL has taken immediate action and the vulnerability has been mitigated now.
CyberX9 reported the vulnerability on October 19, to CDSL and the securities depository took around 7 days to fix it.
The exposed data includes investor’s name, phone number, email address, PAN, income range, father’s name, date of birth etc., CyberX9 said in its blog.
The sensitive personal and financial data exposed to massive numbers of people can lead to things like financial fraud, identity theft, and exposing people to things like extortion, targeted attacks against people, etc.
“We verified the fix before publication and it was no longer exploitable. Later, on October 29th, our research team got to work again and within a couple of minutes they found an easy and complete bypass for the fix that CDSL implemented to patch the earlier reported vulnerability.
“CERT-In and NCIIPC also accepted our vulnerability report for CDSL,” CyberX9 Founder and Managing Director Himanshu Pathak told PTI.
“CVL had received a vulnerability alert on the website of CVL which has since been mitigated. We would like to state that CVL took immediate actions to mitigate the vulnerability and have worked proactively to further address any other potential security issues,” CDSL said.
Both the entities, CDSL and CVL, as separate regulated entities with SEBI, have a clear arm’s length relationship, CDSL said.
“We strongly suspect that the data might have already been stolen by malicious attackers. There is a need for a fair security audit of CDSL by the government,” CyberX9 blog said.
The Chandigarh-based cyber security start-up said that the information exposed by CDSL could be a virtual gold mine for phishers and scammers involved in the so called business of e-mail compromise which often impersonate brokers, banks, and businesses in a bid to trick individuals and companies into transferring funds to fraudsters, added the media report.
“Armed with such access to CDSL KYC data, phishers and scammers would have an endless supply of compelling scamming templates for calls and emails to use. A database like this would also give fraudsters a constant feed of new investors getting KYC to target them,” CyberX9 said.
The COVID19 pandemic has given the rise to cybercrimes. The nature of cybercrime is on an individual, organisation and state/society level. The question here is what is the importance of awareness when it comes to cybersecurity.
“In present times, KYC (Know Your Customer) can be bought, a virtual number can be rented from overseas. The crimes can be committed via a virtual number and once the crime is committed all accounts connected to that number are deleted and at times it becomes difficult to track when organisations do not report the incident,” said Prof Triveni Singh, IPS SP. Cybercrimes, Uttar Pradesh Police, India.