43.9 million investors’ details leaked via CVL: CyberX9

The Central Depository Services (I) Ltd (CDSL) is a SEBI-registered depository and CDSL Ventures Ltd is a KYC registering agency separately registered with the Securities and Exchange Board of India (SEBI). CDSL said CVL has taken immediate action and the vulnerability has been mitigated now.

As per CyberX9, it reported the vulnerability on October 19, to CDSL and the securities depository took around 7 days to fix it which could have been resolved immediately. “We verified the fix before publication and it was no longer exploitable. Later, on October 29th, our research team got to work again and within a couple of minutes they found an easy and complete bypass for the fix that CDSL implemented to patch the earlier reported vulnerability. CERT-In and NCIIPC also accepted our vulnerability report for CDSL,” CyberX9 Founder and MD Himanshu Pathak said.

The exposed data includes investors name, phone number, email address, PAN, income range, father’s name, date of birth etc, CyberX9 said. When contacted, CDSL said there has been no security issue or data vulnerability at CDSL. “CVL had received a vulnerability alert on the website of CVL which has since been mitigated. We would like to state that CVL took immediate actions to mitigate the vulnerability and have worked proactively to further address any other potential security issues,” CDSL said.

Both the entities CDSL and CVL, as separate regulated entities with SEBI, have a clear arm’s length relationship, CDSL said.

CyberX9 said the vulnerability was not highly complex the second time its team discovered it. “We strongly suspect the data might have already been stolen by malicious attackers. There is a need for a fair security audit of CDSL by the government,” the Chandigarh-based cyber security start-up said.