India’s largest securities depository Central Depository Services Limited (CDSL) exposed sensitive data of around 4.39 crore investors, cybersecurity firm CyberX9 reported on November 8. CDSL is one of the two SEBI-regulated depositories that hold securities like shares, mutual funds, and bonds in electronic format. Nearly 600 stockbrokers who collectively have over 4 crore investor accounts are associated with CDSL. Although the vulnerabilities that exposed the sensitive data have now been fixed, there are significant ramifications if the data fell into the wrong hands. "We strongly suspect that the data might’ve already been stolen by malicious attackers," CyberX9 said. "There is a need for a fair security audit of CDSL by the government," the firm added. MediaNama has reached out to CDSL for comments and will update this report if we receive a response. Twice in one month On October 19, CyberX9 discovered a critical security vulnerability in CDSL and reported the same to the company. The company reportedly took "7 days to fix the vulnerability while an immediate fix could’ve been done in max two hours," CyberX9 said. Notwithstanding the delay in fixing the issue, CyberX9 on October 29 "found a laughably easy and complete bypass for the fix that CDSL implemented to patch the earlier reported vulnerability." The cybersecurity firm reported the same to CDSL the next day and the vulnerability was fixed on November 1. What personal and financial data were exposed? CyberX9 reported that the exposed data includes sensitive personal details like: Full name Complete PAN No Gender Marital…
