India’s biggest demat depository breached

India'S Biggest Demat Depository Breached

Central Depository Services Ltd. (CDSL), a security firm liaised with the Bombay Stock exchange (BSE), National Stock Exchange (NSE) allegedly fell prey to a vulnerability in their own applications, thus causing a serious data breach. The depository maintains data for crores of traders in India. If these allegations are true, this will be the biggest demat depository breached ever, causing tremendous data and monetary loss.

The demat depository cyber case unfolds

An independent team of cybersecurity researchers have claimed that a vulnerability exists in CDSL’s servers. According to them, this vulnerability can expose all the sensitive personal and financial data of around 4.39 crore Investors who have completed their KYC with CDSL. The combined net worth of all these investors will exceed INR 1,000 crores.

The founder and director of the company for whom the researchers were working for says that the stolen data is a “virtual gold mine” for hackers and scammers. Anyone who gets their hands on this information can manipulate the Indian stock markets.

“The nature of the vulnerability here indicates extreme negligence in handling sensitive personal and financial data of people. And that is not something we expect from one of the largest Indian depositories,” the founder / director added.

CDSL did not fold, and promptly responded, explaining that there was no data breach but there was indeed a vulnerability which was swiftly dealt with.

“CDSL would like to clarify that there has been no security issue or data breach at CDSL. However, CVL has received a vulnerability alert on the website of CVL, which has since been mitigated. There has been no data breach at CVL.” – An excerpt from CDSL’s response.

Specifics of the alleged vulnerability that got the demat depository breached

Around the 19th of October 2021, a glitch was reported in the CDSL solution that was blocking investors from selling their shares. This was due to a failure in CDSL’s portal to authorise the sale of shares.

However, this glitch was in addition to the vulnerability detected by this group of cybersecurity researchers. This vulnerability exposed 19 different data points for every investor in CDSL’s KYC database:

  1. Annual income tax liability
  2. Net worth
  3. Occupational details
  4. Demat account number
  5. Broker Name
  6. CDSL allotted client ID
  7. Investor’s full name
  8. PAN
  9. Gender
  10. Marital status
  11. Father or spouse’s name
  12. Residential address
  13. Permanent address
  14. Email ID
  15. Contact number(s)
  16. DOB
  17. Nationality
  18. Demat account opening application date
  19. Demat account opening date

The vulnerability was discovered in the API calls (which allow two disparate systems to talk) that the CDSL software uses for its KYC services. This vulnerability is leaking data of all investors who’ve undergone the KYC process through the CDSL solution. Anyone with a basic understanding of how API calls work can apparently manipulate this API to bypass proper authorization.

After following the demat account data breach, an independent technology researcher, chimed in:

“Authorisation flaws in India typically are about exposed access credentials to APIs that are available on the internet, with which anyone can access and query the data behind API,” he said. “Mature organisations monitor API usage patterns and detect anomalies. Most legacy organisations or non-native tech companies, however, do not have people, processes, tech to detect (anomalies), and data security is left to vulnerability reporting.”

Learnings for you

This case was tied up for a long time in the blame game. The demat depository had to spend a lot more time defending itself than actually fixing the vulnerability. Cyber fraud can sometimes turn messy, and distract you from business growth and productivity.

To prevent such things from happening in your organisation is to know exactly how every piece of code that goes in maintaining customer data works. Maybe you have developed some software in-house or maybe you rely on a 3rd party software vendor. It is still your responsibility to know whether proper security is being maintained.

Sometimes, vulnerabilities stay hidden from plain sight and silently cause damage. A thorough web application security assessment will give you more visibility into what really goes under the shiny exterior of your system software.


While our experts kickstart the process of evaluating your website, why not look into our network security tools? They are powered with a security mechanism that can expose fraudulent and dangerous web and API requests. Explore our web application firewalls and take the first step towards stronger application security.

More IT and security resources and updates.

Leave a Reply

Your email address will not be published. Required fields are marked *

Continue to chat
Hello 👋
Let us know how we can help you!