CDSL Breach Leaks Millions of Investor Details
Table of Contents
- By David Lukic
- Published: Nov 30, 2021
- Last Updated: Mar 18, 2022
An error has leaked personal and financial data belonging to millions of Indian investors. The Indian Central Depository Services Limited subsidiary - CDSL Ventures Limited (CVL) - announced this while reporting a data breach on its network. Investigations revealed that the breach happened twice within the space of ten days.
What Happened?
On October 19, the CyberX9 cybersecurity team uncovered a significant security weakness in CDSL's network. CLV was revealing the personal and financial data of more than 43 million investors online. Then on October 29, the team found a complete bypass for the fix that CDSL implemented to correct the flaw earlier observed.
“We verified the fix before publication, and it was no longer exploitable. Later, on October 29, our research team got to work again, and within a couple of minutes, they found an easy and complete bypass for the fix that CDSL implemented to patch the earlier reported vulnerability,”
reported the team.
Reportedly, investors are most discouraged by the frequency of the attacks. The report revealed that the breach occurred twice within ten days, and because CDSL patched the second occurrence within a couple of minutes, CyberX9 argued that they could have corrected the first breach within two hours. But from what CVL said, it took almost one week to correct the error. With the amount of data exposed, many fear possible phishing attacks, tax refund scams, business email compromise scams, or extortions.
What Details Were Exposed?
The vulnerability affected CDSL’s Know-Your-Customer (KYC) wing. The research team at CyberX9 discovered that personal and financial information on investors who did their market securities with KYC were exposed. In total, 43.9 million Indian investors were affected.
Among leaked personal details are:
- Full name
- Gender
- Marital status
- Parent’s name
- Date of births
- Nationality
- Occupation
- Contact details
- Home addresses
- Email addresses
- PAN numbers
Leaked financial data include:
- Annual income tax return
- Net worth
- Demat account number
- Broker name
- CDSL Client ID
“We strongly suspect that the data might have already been stolen by malicious attackers. There is a need for a fair security audit of CDSL by the government,”
said CyberX9 in a press release.
What is CDSL Doing About It?
The CyberX9 cybersecurity team started internal investigations immediately they uncovered the breach. Their efforts yielded good results because they successfully repaired the reported flaw within the network.
CDSL also took prompt actions to minimize the damage. They reported the breach to appropriate authorities like CERT-In and NCIIPC. Additionally, they placed an official notification on their website. Because the research team took immediate action, CDSL recently allayed any fear of future cyber threats. When contacted about the status of this latest incident, CDSL said there is no more security issue or data vulnerability.
Cybersecurity Tips for Investors
Modern investors rely heavily on the internet for several activities like checking accounts holdings, trading, and making deposits. Protecting your online accounts from fraud is now part of normal best practices. The following tips can help you improve your account security.
- Use a Passphrase in place of a password: According to the U.S Securities and Exchange Commission, a passphrase is a special kind of password. Instead of a set of numbers, alphabets, and symbols, it uses a series of words. When prompted to log in, enter the words correctly to avoid being locked out of your account.
- Use strong and secure passwords: A strong password uses at least eight characters. It will be a combination of numbers, alphabets, and special symbols. Avoid using any personal information like birthdays or names in your password. The idea here is to make it impossible for others to guess your password.
- Activate multi-factor authentication: A two-step verification requires a second verification after you have supplied the password. Only you know the answer to the security question. Even if someone gains access to your login details, it will be impossible to steal from you.
