According to CyberX9, an infosec consultancy in India, the Central Depository Services Limited(CDSL) leaked 44 million investors’ personal information twice.
The Central Depository Services Limited was also slow in responding to the security alerts of significant vulnerabilities. CDSL plays a vital role in India’s Financial markets as it serves exchanges, investors, and issuers with depository services. It maintains electronic records of investors and their shareholdings and has almost a million customers.
CyberX9 in a blog post said CDSL exposed crucial data of many customers which includes full names, tax department ID numbers, marital status, date of birth, nationality, residential address, email address, occupation details, and even the names of spouses and parents.
In their article, they have explained in detail how the records were exposed. The infosec company said it is “a case of sheer negligence by CDSL in securing sensitive client data. The vulnerability wasn’t highly complex for our team to discover.”
In yet another article the security firm has explained about the second leak, portraying the negligence on the part of CDSL and again claimed the vulnerability was not hard to discover.
CyberX9 also presented the timeline of their disclosure to CDSL. It alleged the depository did not advertise a contact for infosec issues and also ignored its first notification for seven days. Also, the depository reacted slowly by responding to the alert of the second vulnerability after three days.
The security firm also contacted CERT-In and India’s National Critical Information Infrastructure Protection Centre of both hacks, and that CDSL only acted after those bodies requested remediation.
While talking to the Indian media, CDSL said, the vulnerabilities were present on its website. It acted promptly after receiving notification from CyberX9. Though the security deferred by saying the vulnerabilities would have required hours and not days.
An independent audit has been called by CyberX9 of CDSL’s systems and infosec practices. It has also warned customers that the simplicity of the work required to exploit the vulnerabilities means they should assume their data was accessed and look out for phishing and other scams made easier by the wealth of data on offer.