A team of cyber security researchers red-flagged last Wednesday a critical security issue in Sebi-registered KYC registering agency CDSL Ventures Limited (CVL), which it claimed, could be exploited for unauthorised access to sensitive personal and financial data of investors. CVL is a wholly owned subsidiary of India’s largest securities depository Central Depository Services Limited. It facilitates centralised storing and safeguarding of investor information, provides fully digitised KYC services to market intermediaries and holds information of over 4 crore investors. The vulnerability was fixed on Tuesday — a week after it was reported to CDSL, National Critical Information Infrastructure Protection Centre (NCIIPC) under National Technical Research Organisation, and CERT-In under the Ministry of Electronics and Information Technology (MEITY). “Our researchers detected an authorisation vulnerability in one of the APIs (application programme interface) which allowed anyone capable of launching a malicious attack to retrieve extremely sensitive personal and financial information of around 4.39 crore investors who have obtained market securities KYC since 2005,” said Himanshu Pathak, founder of Chandigarh-based cyber security consultancy startup CyberX9. When contacted, a CDSL spokesperson said in an email on Tuesday: “CDSL would like to clarify that there has been no security issue or data breach at CDSL. However, CVL has received a vulnerability alert on the website of CVL which has since been mitigated. There has been no data breach at CVL.” Emails seeking comment to SEBI, NCIIPC and CERT-In remained unanswered. Investor KYC for market securities involves extended personal and financial data points — name, addresses, gender, marital status, PAN, email, annual income, net worth, Demat account number, broker details, client ID etc, all of which were accessible at least until October 25 due to the authorisation vulnerability. Access to KYC data can potentially enable malicious actors to launch customised attacks aimed at financial fraud, identity theft, extortion, impersonation etc. At another level, this dataset can also be used to disrupt the stock market through targeted misinformation campaigns. Flagging the vulnerability on October 19 to NTRO’s NCIIPC and MEITY’s CERT-In, the national nodal agency for responding to computer security incidents, CyberX9 wrote: “Considering the extreme impact of this if exploited by a malicious attacker, we expect remediation of the issue at the earliest.” On October 20, records show, CERT-In requested for “relevant screenshots” and subsequently registered the complaint for “appropriate action.”
