New Delhi: A vulnerability in a subsidiary, CDSL Ventures Limited (CVL) has exposed personal and financial data of over 4 crore Indian investors Twice in a period of 10 days, according to cyber security consulting startup CyberX9. Central Depository Services (India) Limited (CDSL) is a SEBI registered depository and CDSL Ventures Limited is a KYC Registration Agency Registered separately with the Securities and Exchange Board of India (SEBI).

CDSL said that CVL has taken immediate action and now the vulnerability has been mitigated.

According to CyberX9, it reported the vulnerability to CDSL on October 19 and it took approximately 7 days for the securities depository to fix it, which could have been resolved immediately.

“We verified the fix prior to publication and it was no longer exploitable. Later, on October 29, our research team had to rework and within minutes they found an easy and complete bypass to the fix called CDSL previously applied the patch to the reported vulnerability.

“CERT-In and NCIIPC have also accepted our vulnerability report for CDSL,” Himanshu Pathak, Founder and Managing Director, CyberX9 told PTI.

CyberX9 said in its blog that the exposed data included investors’ name, phone number, email address, PAN, income limit, father’s name, date of birth, etc.

When contacted, CDSL said that there is no security issue or data vulnerability in CDSL.

CDSL said, “CVL received a vulnerability alert on CVL’s website which has since been mitigated. We would like to point out that CVL has taken immediate action to mitigate the vulnerability and address any other potential security issues.” actively worked to remove it.”

CDSL said that both the entities – CDSL and CVL, with SEBI as separate regulated entities, have a clear arm’s length relationship.

CyberX9 said the vulnerability was not overly complex the second time its team discovered it.

“We strongly suspect that the data has already been stolen by malicious attackers. There is a need for an impartial security audit of CDSL by the government,” the CyberX9 blog said.

The Chandigarh-based cyber security startup said the information exposed by CDSL could be a virtual goldmine for phishers and scammers involved in the so-called business of e-mail compromise, which often uses brokers, banks and businesses to trick individuals. imitates. and companies in transferring money to fraudsters.

“With such access to CDSL KYC data, fishers and scammers will have an endless supply of compelling scamming templates to use over calls and emails. Such a database will also provide fraudsters with a constant feed of new investors seeking KYC. will give.” CyberX9 said.

Sensitive personal and financial data exposed to large numbers of people can expose people to things like financial fraud, identity theft, and extortion, targeted attacks against people, etc.