wordpress blog stats
Connect with us

Hi, what are you looking for?

Finance Ministry identifies weak link in CDSL that put sensitive data of investors at risk

The ministry’s answer in parliament revealed new details about a critical flaw at India’s largest securities depository.  

“…the web portal of CVL is vulnerable to Insecure Direct Object References. It was initially observed that on the login page of CVL, there was a possibility of getting access to the details of another user by changing the reference ID of the user,” the Ministry of Finance wrote in response to a question by Indian National Congress MP Manish Tewari in the winter session of Lok Sabha. The ministry also shed light on how the vulnerability was fixed “by encrypting the reference ID, the reply added.

The Central Depository Services Limited (CDSL) is one of the two SEBI-regulated depositories that hold securities like shares, mutual funds, and bonds in electronic format. Nearly 600 stockbrokers who collectively have over 4 crore investor accounts are associated with CDSL. CDSL Ventures (CVL) is a government-approved KYC registration agency owned by CDSL.

A second vulnerability was found in CVL which was promptly fixed by the firm and the same was conveyed to the Indian Computer Emergency Response Team (CERT-In). The ministry also revealed that a forensic audit of CVL was conducted at the direction of the Securities and Exchange Board of India (SEBI).

The ministry clarified that “there was no authorization vulnerability in any of the Application Programming Interfaces (APIs) and/or website of Central Depository Services Ltd. (CDSL)”.

Advertisement. Scroll to continue reading.

It is the first time that a vulnerability has been acknowledged by the government in critical infrastructure such as an agency that holds the data of lakhs of investors.

Why was this question raised in the Parliament?

It all started when a cybersecurity firm CyberX9 reported that CDSL, India’s largest securities depository, had exposed sensitive data of around 4.39 crore investors on November 8.

“We strongly suspect that the data might’ve already been stolen by malicious attackers,” CyberX9 had said then.

What personal and financial data were exposed?

CyberX9 reported that the exposed data includes sensitive personal details like:

  • Full name
  • Complete PAN No
  • Gender
  • Marital status
  • Father/spouse’s full name
  • Complete Date of Birth
  • Nationality
  • Complete residential address
  • Complete permanent address
  • Contact number(s)
  • Email address
  • Occupation details.

And financial details like:

  • Amount of annual income tax return filed
  • Net worth (along with the date on which it was updated)
  • Demat account number
  • Broker name
  • CDSL Client ID

Also read:

Have something to add? Subscribe to MediaNama here and post your comment. 

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

While the market reality of popular crypto-assets like Bitcoin may undergo little change, the same can't be said for stablecoins.

News

Bringing transactions related to crypto-assets within the tax net could make matters less fuzzy.

News

Loopholes in FEMA and the decentralised nature of crypto-assets point to a need for effective regulations.

News

The need of the hour is for lawmakers to understand the systems that are amplifying harmful content.

News

For drone delivery to become a reality, a permissive regulatory regime is a prerequisite.

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ