An independent team of security researchers have identified a vulnerability in the software used by a Sebi-registered KYC Registration Agency. The agency, CDSL Ventures Limited (CVL), was already under the radar of cybersecurity professionals once before. The vulnerability gives a malicious hacker complete access to the confidential data of all the investors who do their KYC through CVL.
CVL is a subsidiary of India’s largest securities depository, the Central Depository Services Limited. It provides secure storage and management of sensitive investor information. It also provides KYC registration services to market intermediaries. All in all, it holds data for over 4 crore investors in India.
The vulnerability was patched up in a jiffy a week after it was reported. Along with CDSL, the National Critical Information Infrastructure Protection Centre (NCIIPC) and India’s Computer Emergency Response Team (CERT-In) were also involved.
“Our researchers detected an authorisation vulnerability in one of the APIs which allowed anyone capable of launching a malicious attack to retrieve extremely sensitive personal and financial information of around 4.39 crore investors who have obtained market securities KYC since 2005,” said Himanshu Pathak, founder / director of the security company which has the security researchers under its employ.
When confronted, a CDSL representative said the following via email: “CDSL would like to clarify that there has been no security issue or data breach at CDSL. However, CVL has received a vulnerability alert on the website of CVL which has since been mitigated. There has been no data breach at CVL.” Sebi, NCIIPC, and CERT-In refrained from opining on the matter.
As we see, CDSL claims that no data has yet been breached. But if it had, around 19 crucial data points for each investor profile would’ve been at stake. With this information, any hacker would’ve launched highly targeted phishing campaigns that would’ve caused further damage. Such a targeted phishing attack is called as spear phishing and needs to be prevented at all costs. Otherwise, it can lead to financial fraud, identity theft, extortion etc. But beyond that, access to such detailed stock information could also enable a determined hacker to manipulate share prices.
More IT and security resources and updates.