Financial data of over 4 cr investors exposed twice within 10 days: Report

A vulnerability at CDSL Ventures (CVL) exposed personal and financial data of over 4 crore investors twice within 10 days, the Business Standard has reported.

The exposed data includes the name of investors, their phone numbers, email address, PAN, date of birth, and other crucial information from a part of the data which has been exposed.

CVL is a subsidiary of leading Demat services provider Central Depository Services (India) Limited (CDSL).

CVL took immediate action to address the vulnerability, CDSL has said.

The report, quoting cyber security consultancy startup CyberX9 founder and managing director Himanshu Pathak, said CERT-In and NCIIPC have accepted its vulnerability report for CDSL.

CyberX9 said it reported the vulnerability on October 19 to CDSL and it was fixed in around 7 days though it could have been resolved immediately.

A few days later on October 29, the CyberX9 team found an “easy and complete bypass” for the fix that CDSL implemented to address the vulnerability. It was not a complex issue when the vulnerability was detected for the second time.

CyberX9 in a blog said that it is strongly suspected that the data might have already been stolen by attackers. A security audit of CDSL is required now , it said.

“Armed with such access to CDSL KYC data, phishers and scammers would have an endless supply of compelling scamming templates for calls and emails to use. A database like this would also give fraudsters a constant feed of new investors getting KYC to target them,” CyberX9 said.

The theft of personal and financial data can lead to financial fraud and identity theft.