“…the web portal of CVL is vulnerable to Insecure Direct Object References. It was initially observed that on the login page of CVL, there was a possibility of getting access to the details of another user by changing the reference ID of the user,” the Ministry of Finance wrote in response to a question by Indian National Congress MP Manish Tewari in the winter session of Lok Sabha. The ministry also shed light on how the vulnerability was fixed “by encrypting the reference ID, the reply added.
The Central Depository Services Limited (CDSL) is one of the two SEBI-regulated depositories that hold securities like shares, mutual funds, and bonds in electronic format. Nearly 600 stockbrokers who collectively have over 4 crore investor accounts are associated with CDSL. CDSL Ventures (CVL) is a government-approved KYC registration agency owned by CDSL.
A second vulnerability was found in CVL which was promptly fixed by the firm and the same was conveyed to the Indian Computer Emergency Response Team (CERT-In). The ministry also revealed that a forensic audit of CVL was conducted at the direction of the Securities and Exchange Board of India (SEBI).
The ministry clarified that “there was no authorization vulnerability in any of the Application Programming Interfaces (APIs) and/or website of Central Depository Services Ltd. (CDSL)”.
Minister of State For Finance's answer in #loksabha on a question related to the CSDL KYC data breach. He acknowledged there was a issue and a fix was provided. This is probably the first time the government is accepting a large data breach in part. https://t.co/nTarpmUI4D pic.twitter.com/2DDmBLzUJk
— Srinivas Kodali (@digitaldutta) November 29, 2021
It is the first time that a vulnerability has been acknowledged by the government in critical infrastructure such as an agency that holds the data of lakhs of investors.
Why was this question raised in the Parliament?
It all started when a cybersecurity firm CyberX9 reported that CDSL, India’s largest securities depository, had exposed sensitive data of around 4.39 crore investors on November 8.
“We strongly suspect that the data might’ve already been stolen by malicious attackers,” CyberX9 had said then.
What personal and financial data were exposed?
CyberX9 reported that the exposed data includes sensitive personal details like:
- Full name
- Complete PAN No
- Marital status
- Father/spouse’s full name
- Complete Date of Birth
- Complete residential address
- Complete permanent address
- Contact number(s)
- Email address
- Occupation details.
And financial details like:
- Amount of annual income tax return filed
- Net worth (along with the date on which it was updated)
- Demat account number
- Broker name
- CDSL Client ID
- Data of over 7 million Robinhood customers breached in cyber attack
- Hackers exploited vulnerability in a Zoho product to target organisations in critical sectors: Report
- Punjab National Bank exposed personal, financial information of 180 million customers for seven months: Report
- MobiKwik still under RBI scanner after alleged data breach in February: RTI
Have something to add? Subscribe to MediaNama here and post your comment.