New Delhi: A team of cybersecurity researchers claims to have found a vulnerability in the servers of the Central Depository Services Limited (CDSL), India’s biggest depository system that maintains demat accounts of crores of investors.
The CDSL, a government-registered share depository, manages investor accounts trading on the Bombay Stock Exchange (BSE), the National Stock Exchange (NSE), as well as other exchanges.
According to cybersecurity researchers at CyberX9, a Chandigarh-based company, the vulnerability in CDSL’s system exposed sensitive personal and financial data of an estimated 4.39 crore investors on whom CDSL has performed a Know Your Customer/Client (KYC) operation since 2005.
The team said those exposed included investors with a net worth of over Rs 1,000 crore.
CyberX9’s founder and managing director, Himanshu Pathak, called the data “exposed” in the CDSL vulnerability a “virtual gold mine” for phishers, scammers, and for “malicious attackers looking to spread misinformation to manipulate Indian share markets”.
According to Pathak, the data was exposed because of a vulnerability at a CDSL subsidiary, CDSL Ventures Limited (CVL). “The nature of the vulnerability here indicates extreme negligence in handling sensitive personal and financial data of people. And that is not something we expect from one of the largest Indian depositories,” Pathak added.
However, a CDSL statement in response to an email from ThePrint sent on 27 October said there had been no breach, but a vulnerability was found and sorted out. “CDSL would like to clarify that there has been no security issue or data breach at CDSL. However, CVL has received a vulnerability alert on the website of CVL, which has since been mitigated. There has been no data breach at CVL.”
Pathak, though, claimed the vulnerability was fixed only several days after the issue was reported to CDSL and two government entities, CERT-In (Indian Computer Emergency Response Team) and NCIIPC (National Critical Information Infrastructure Protection Centre).
He said, CyberX9 discovered the vulnerability on 4 October but could only find the relevant security contact for CDSL around two weeks later. It emailed CDSL, CERT-In and NCIIPC about the vulnerability on 19 October.
Pathak said he received no response from CDSL, but shared with ThePrint email screenshots of the correspondence he received from CERT-In and NCIIPC.
CERT-In responded to CyberX9 twice on 20 October, asking Pathak for screenshots to help validate the vulnerability, and then again to say that CERT-In is “in process of taking appropriate action with the concerned authority”.
NCIIPC had emailed Pathak on the same day, acknowledging the vulnerability and saying that it is working to verify and remediate the issue.
ThePrint emailed CERT-In and NCIIPC on 27 October about the vulnerability but received no response until this report was published.
Pathak claimed even after these emails, the problem was not fixed. “Our team confirmed and has evidence that the vulnerability was still unfixed” as of around 8 pm on 25 October, he said.
“CDSL, CERT-In and NCIIPC have been extremely sluggish” in fixing such a “critical security issue”, he added.
Pathak further claimed an “immediate fix for the vulnerability could’ve been done in a maximum of two hours”.
What is CDSL?
The CDSL is one of only two depository systems in the country handling crores of investor accounts, with the other being the National Securities Depository Limited (NSDL).
Whenever you buy shares on the Bombay Stock Exchange, you do so via a brokerage firm. But the stock broker is just an intermediary and the account with all your shares is actually stored with CDSL. Such an account is called a ‘dematerialised’ or demat account because your stock market shares are virtual.
CDSL is currently the largest depository in India by number of active demat accounts.
How bad was the vulnerability?
The Business Standard had, on 19 October, reported a glitch in CDSL that was not allowing investors to sell their shares. The CDSL portal used to authorise sale of shares was not working.
Pathak, however, clarified that the glitch reported by Business Standard is not directly linked to the vulnerability his company discovered.
He claimed the vulnerability discovered by CyberX9 exposed 19 types of data for each investor. This includes the amount filed as annual income tax; net worth; occupation details; demat account number; broker name; CDSL client ID; the individual investor’s full name; PAN number; gender; marital status; father/spouse’s name; date of birth; nationality; residential address; permanent address; email address; contact numbers; and even the application date and number to open a demat account.
Pathak added that the data was exposed because of a vulnerability in an Application Programming Interface (API) used by the CVL.
An API is a piece of software that sits between two computer applications. The two computer applications will use the API to send and receive data from each other.
CVL is a service set up to perform investor identity verification via KYC processes.
CVL, according to Pathak, is “exposing all KYC data of anyone who has gone through the CDSL KYC process”.
An API used by CVL to communicate and receive data from the main CDSL computer server has a vulnerability allowing anyone with enough technical know-how to use that API to bypass the need for proper authorisation to access sensitive investor data, Pathak said.
Independent technology researcher Srikanth, without knowing full details of the alleged data breach, said some firms do not have the manpower to monitor API usage.
“Authorisation flaws in India typically are about exposed access credentials to APIs that are available on the internet, with which anyone can access and query the data behind API,” he said. “Mature organisations monitor API usage patterns and detect anomalies. Most legacy organisations or non-native tech companies, however, do not have people, processes, tech to detect (anomalies), and data security is left to vulnerability reporting,” he said.
What is CyberX9?
According to Pathak, CyberX9 has 15 senior cybersecurity experts based around the world and has been working for nearly three years in the “stealth mode for Fortune 500 companies, law enforcement agencies, and high-net worth individuals worldwide”.
Pathak has previously founded a political consultancy firm, Get Known, and is a politician who was a founding member of the Aam Aadmi Party, who later joined the Congress.
Pathak said he is now making the CyberX9 company identity “more public”. The Twitter profile for CyberX9 says it “protect(s) against a wide range of cyber attacks whether you are a business or a high-net worth individual”.
(Edited by Arun Prashanth)
(The Bombay Stock Exchange emailed ThePrint after the publication of this report to clarify that CDSL doesn’t only handle accounts related to it, but other exchanges like NSE too. The report has been updated to reflect this.)