Photo courtesy Chris Liverani on Unsplash.
The researchers from CyberX9 who are having many cyber security experts, claim to have found a vulnerability in the servers of Central Depository Services Limited (CDSL). CyberX9 works for fortune 500 companies, law enforcement agencies, and high-net-worth individuals from around the world.
What is Central Depository Services Limited (CDSL)?
The Central Depository Services Limited (CDSL) facilitates the holding and transaction of dematerialized securities in the electronic form and also helps in the settlement of trades on stock exchanges. The securities can be equities, bonds, exchange-traded funds, units of mutual funds, units of alternate investment funds, commercial papers, certificates of deposits, treasury bills, and government securities.
CDSL was initially promoted by BSE which later divested its stake to some banks. The CDSL was listed in 2017 on National Stock Exchange (NSE). It manages investor accounts on the Bombay Stock Exchange, National Stock Exchange, and other exchanges.
Himanshu Pathak the founder and managing director of CyberX9 has said that the exposed data can be used by phishers and scammers. It is his view that there has been negligence in the handling of sensitive personal and financial data of people which in turn has exposed the information of 4.39 crore investors.
What is the data exposed?
The data of investors that is exposed include net worth, amount filed as annual income tax, Demat account number, occupation details, broker name, CDSL client ID, investor’s full name, PAN number, marital status, father/ spouse’s name, gender, nationality, date of birth, residential address, permanent address, email address, contact numbers and the application date and number to open Demat account.
What is the issue involved?
The vulnerability was discovered by CyberX9 on 4th October, but it could only find the contact for CDSL around two weeks later. It emailed CDSL, CERT-In (Indian Computer Emergency Response Team that handles cybercrime-related issues), and NCIIPC (National Critical Information Infrastructure Protection Centre) about the vulnerability on 19th October.
The data was exposed due to vulnerability in Application Programming Interface (API) which is a software intermediary helping two computer applications to converse with each other. The computer applications use API to send and receive data from each other. The vulnerability could allow anyone with good technical skills and know-how to access sensitive investor data.
CyberX9 says that it took CDSL around 7 days to fix the vulnerability, but this should have been resolved immediately to protect the customer data. The vulnerability was now no longer exploitable but on October 29th they again found an easy bypass for the fix that CDSL had implemented earlier.
The CDSL when contacted by news agencies said that the vulnerability alert on the website of CVL has been mitigated and it took immediate action to address the issue. There has been no data breach at CVL. It further said that it had been working proactively to further address any potential security issues.
Consequences of data falling in hands of malicious attackers according to CyberX9:-
1) The data would help the scammers and phishers to impersonate brokers, banks, and businesses and could trick individuals into transferring funds to the fraudsters.
2) There could be targeted attacks against a few individuals.
2) The data could also be used to disrupt the stock market through misinformation campaigns which could create panic in the investors who could withdraw their money.
What could be done to improve the situation?
- More cyber security investment is required according to an expert.
- Data protection bill should become a reality to enable consumers to initiate action.
- Some organizations can detect anomalies through API usage patterns. For this there should be trained manpower and processes for data security.
- CDSL should inform the users.
What could be done by the investors?
1) The investors can change the password of their Demat account and a strong password with special characters should be kept as the hackers work through all possibilities to guess the password.
2) Change the settings on your mobile app.
It is the duty of CDSL to protect the data of the users. The hackers can steal the data of the users and can cause various financial problems. The investors should remain careful from their end by keeping strong passwords for their accounts while audits should be carried out at regular intervals to ensure that the valuable data of the investors is safe. This would increase the faith of the new investors on CDSL and the functioning of Indian stock exchanges where millions of millennials have joined to participate in the latest bull run.