India’s popular securities depository services provider – the Central Depository Services Limited (CDSL) – is making headlines for an alleged data breach at its subsidiary CDSL Ventures Limited (CVL). According to a report from CyberX9, the data breach exposed the personal and financial information of over 4.39 crore (43.9 million) investors in India.
One Flaw – Two Data Breaches
CyberX9’s research team stated that it had identified a critical authorization vulnerability in a public CDSL’s KYC API exposing investors’ data online. The vulnerability was fixed after the research team reported the issue to the CDSL. However, after a few days, the CyberX9 team found a bypass for the patch that CDSL applied to the vulnerability, exposing the same sensitive data of 43.9 million investors again.
The data breach affected the investors who did their market securities KYC process in 2005. The exposed information included personal details like full name, PAN numbers, gender, marital status, father/spouse’s full name, birth dates, nationality, complete residential address, complete permanent address, contact numbers, email address, and occupation details. The incident also exposed sensitive financial information like the amount of annual income tax return filed, net worth (along with the date it was updated), Demat account number, broker name, and CDSL Client ID.
The exposed information is highly sensitive and could lead to severe security and privacy issues if it falls into the wrong hands. Having access to CDSL KYC data, cybercriminals could have an endless supply of convincing scamming templates for calls and emails to use against investors and organizations.
Online phishers and scammers could misuse the leaked information against individuals and organizations. Threat actors often leverage Business Email Compromise (BEC) scams impersonating stockbrokers, banks, and businesses to trick users into transferring funds. State-sponsored actors could also exploit this data to spread misinformation and manipulate Indian share market trends.
“This is extremely sensitive data which is usually the base information needed for many malicious attacks against individuals and organizations. There is an indefinite number of possible malicious use cases. Any malicious attacker who could’ve discovered it and stolen all the data. We strongly suspect that the data might’ve already been stolen by malicious attackers,” CyberX9 said.