wordpress blog stats
Connect with us

Hi, what are you looking for?

Finance Ministry identifies weak link in CDSL that put sensitive data of investors at risk

The ministry’s answer in parliament revealed new details about a critical flaw at India’s largest securities depository.  

“…the web portal of CVL is vulnerable to Insecure Direct Object References. It was initially observed that on the login page of CVL, there was a possibility of getting access to the details of another user by changing the reference ID of the user,” the Ministry of Finance wrote in response to a question by Indian National Congress MP Manish Tewari in the winter session of Lok Sabha. The ministry also shed light on how the vulnerability was fixed “by encrypting the reference ID, the reply added.

The Central Depository Services Limited (CDSL) is one of the two SEBI-regulated depositories that hold securities like shares, mutual funds, and bonds in electronic format. Nearly 600 stockbrokers who collectively have over 4 crore investor accounts are associated with CDSL. CDSL Ventures (CVL) is a government-approved KYC registration agency owned by CDSL.

A second vulnerability was found in CVL which was promptly fixed by the firm and the same was conveyed to the Indian Computer Emergency Response Team (CERT-In). The ministry also revealed that a forensic audit of CVL was conducted at the direction of the Securities and Exchange Board of India (SEBI).

The ministry clarified that “there was no authorization vulnerability in any of the Application Programming Interfaces (APIs) and/or website of Central Depository Services Ltd. (CDSL)”.

Advertisement. Scroll to continue reading.

It is the first time that a vulnerability has been acknowledged by the government in critical infrastructure such as an agency that holds the data of lakhs of investors.

Why was this question raised in the Parliament?

It all started when a cybersecurity firm CyberX9 reported that CDSL, India’s largest securities depository, had exposed sensitive data of around 4.39 crore investors on November 8.

“We strongly suspect that the data might’ve already been stolen by malicious attackers,” CyberX9 had said then.

What personal and financial data were exposed?

CyberX9 reported that the exposed data includes sensitive personal details like:

  • Full name
  • Complete PAN No
  • Gender
  • Marital status
  • Father/spouse’s full name
  • Complete Date of Birth
  • Nationality
  • Complete residential address
  • Complete permanent address
  • Contact number(s)
  • Email address
  • Occupation details.

And financial details like:

  • Amount of annual income tax return filed
  • Net worth (along with the date on which it was updated)
  • Demat account number
  • Broker name
  • CDSL Client ID

Also read:

Have something to add? Subscribe to MediaNama here and post your comment. 

Advertisement. Scroll to continue reading.
Written By

I cover several beats such as Crypto, Telecom, and OTT at MediaNama. I can be found loitering at my local theatre when I am off work consuming movies by the dozen.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ