CDSL Ventures (CVL), a subsidiary of leading demat services provider CDSL, claims to have fixed a ‘vulnerability’ in its systems that could have become a potential target for hackers. CVL is involved in KYC-related work for CDSL and hence, has data of millions of stock market investors in India.

CyberX9, a cyber security start-up, had claimed that it had pointed out a vulnerability in systems to CDSL and CVL and they took 7 days to fix it. However, a source close to CVL said that the vulnerability was fixed immediately and it did not lead to any data breach or hacking. The source further said that an audit was conducted of CVL data systems and vulnerabilities were proactively fixed.

“CVL had received a vulnerability alert on the website of CVL which has since been mitigated. We would like to state that CVL took immediate actions to mitigate the vulnerability and have worked proactively to further address any other potential security issues,” CDSL told news agencies.

“Discovered second time”

Reportedly, CyberX9 a Chandigarh-based consultancy firm, claimed that the vulnerability was not highly complex and it was discovered for the second time by the firm.

“CDSL was exposing extremely sensitive personal and financial data of about 43.9 million ( about 4.39 crore) investors in India. The data being exposed belonged to those who did their market securities KYC. In India, you have to go through a KYC process for investing in securities like stocks, mutual funds, bonds,” it said.

“We verified the fix before publication and it was no longer exploitable. Later, on October 29th, our research team got to work again and within a couple of minutes they found an easy and complete bypass for the fix that CDSL implemented to patch the earlier reported vulnerability. CERT-In and NCIIPC also accepted our vulnerability report,” CyberX9 said on its blog.