A vulnerability in the Central Depository Services (India) Limited (CDSL) subsidiary, CDSL Ventures Limited (CVL), exposed the personal and financial information of over 43 million Indian investors online. The data was exposed twice in a 10-day period.
The cybersecurity team first reported the matter to CERT-In and NCIIPC on October 19. It took the organisation almost a week to fix the vulnerability.
Personal information such as full name, entire PAN No, gender, marital status, father/full spouse’s name, date of birth, nationality, complete residential address, complete permanent address, contact number(s), email address, and occupation details were among the data exposed by the security flaw.
According to CyberX9, the problem could have been resolved in two hours. This breach will have an impact on investors since they will almost certainly become the target of phishing attacks in which hackers impersonate brokers, banks, and corporations in order to defraud them of their money. It could also lead to income tax refund scams and even extortion.
“Both times data of people being exposed was of those who did their market securities KYC…Similar to last time, the discovered issue was an authorisation vulnerability in a public CDSL’s KYC API, leading to exposing the massive amount of sensitive data to the whole internet,” CyberX9 reported.