Central Depository Services Ltd is undermining the vulnerability in its subsidiary, CDSL Ventures Ltd, which has allegedly exposed personal and financial data of over 4 crore Indian investors twice in a period of 10 days, according to start-up CyberX9.
Himanshu Pathak, Managing Director, CyberX9 told BusinessLine , “The KYC data gathered is from 2005 till date. CDSL is just trying to undermine the issue. We contacted CERT-In, NCIIPC, National Cyber Coordination Centre and all of these bodies confirmed in the email that CDSL is responsible for the managing repository, but CDSL argued with us that the vulnerability was with CVL."
While CDSL Ventures Ltd (CVL) is a subsidiary of CDSL, according to Pathak, both the entities have the same team managing cybersecurity in the back-end.
“CDSL is so high-handed that they are not concerned with a data leak, which includes data of nearly 90 per cent investors, including details of their names, mobile numbers, email ids, names of parents, source of income and income tax return details . They took seven days to fix the vulnerability that we notified. This should have been done in two hours. Yet, within 48 hours of them declaring the issue fixed, the data was exposed again.”
CyberX9 first came across the leak in early October, which was later fixed by CDSL after it was informed by the agency. On October 29 the data was again found by CyberX9’s team.
The data exposed included personal details including full name, PAN no, gender, date of birth, residential address, permanent address, contact numbers, email ids, and occupation details. Other sensitive financial details like amount filed in income tax return, net worth (along with date on which it was updated), Demat account number, broker name and CDSL Client ID., CyberX9 said.
"On 29th October 2021, our research team got to work again and within a couple of minutes found a laughably easy and complete bypass for the fix that CDSL implemented to patch the earlier reported vulnerability. Means, we found CDSL, once again, for the second time, exposing the same extremely sensitive personal and financial data of ~43.9 million (~4.39 crore) investors, as earlier,” CyberX9 said in a blogpost
“Similar to the last time, the discovered issue was an authorisation vulnerability in a public CDSL KYC API, leading to a massive amount of sensitive data being exposed to the whole internet,” it added.
CDSL Ventures (CVL) claims to have fixed a ‘vulnerability’ in its systems, but experts said only an independent audit could establish if the exposed data was actually breached by unethical hackers.