CyberX9’s research team discovered a critical security vulnerability in CDSL — India’s largest securities depository — in early October 2021. CDSL was exposing extremely sensitive personal and financial data of ~43.9 million (~4.39 crore) investors in India. The data of people being exposed was of those who did their market securities KYC. In India, you’ve to go through a KYC process for investing in securities like stocks, mutual funds, bonds. CDSL’s CVL is a top KYC registration agency approved by the Government of India.
The discovered issue was an authorisation vulnerability in a public CDSL’s KYC API, leading to exposing the massive amount of sensitive data to the whole internet.
The data included sensitive personal details of people like full name, complete PAN No., gender, marital status, father/spouse’s full name, complete Date of Birth, nationality, complete residential address, complete permanent address, contact number(s), email address, occupation details.
And sensitive financial details like the amount of annual income tax return filed, net worth (along with the date on which it was updated), Demat account number, broker name, and CDSL Client ID.
The data of ~43.9 million (~4.39 crore) people exposed dates back to around 2005 (when people applied for their KYC back then).
Such data is highly sensitive and can prove fatal for people whose such data gets in the hands of malicious attackers.
[.c-mb-40]This is extremely sensitive data which is usually the base information needed for many malicious attacks against individuals and organisations. Though there is an indefinite number of possible malicious use cases for such highly sensitive data of millions of people, below are few to give people an idea.[.c-mb-40]
[.c-text-bg-pink]1.[.c-text-bg-pink] The information exposed by CDSL could be a virtual gold mine also for phishers and scammers involved:
[.c-row-flex][.c-box-pink]“Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other forms of communication.” — SearchSecurity[.c-box-pink][.c-text-column][.c-text-column][.c-row-flex]
1. in so-called Business Email Compromise (BEC) scams, which often impersonate brokers, banks, and businesses in a bid to trick individuals and companies into transferring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today.
2. in scams, extortion calls to filtered individuals based on their financials from this exposed data.
3. in scam calls pretending to be from the victim's bank or Income Tax Department or some other institution and getting the victims to trust by telling them their sensitive personal and financial details being exposed from this vulnerability.
4. in income tax refund scams.
[.c-mb-40]Armed with such access to CDSL KYC data, phishers and scammers would have an endless supply of compelling scamming templates for calls and emails to use. A database like this would also give fraudsters a constant feed of new investors getting KYC to target them.[.c-mb-40]
[.c-text-bg-pink]2.[.c-text-bg-pink] Also, there is a possibility of malicious people as part of identity theft, open bank accounts, take loans, and similar using this exposed data. In market securities KYC (of which data was being exposed), people have to give much more information than any other type of KYC.
[.c-text-bg-pink]3.[.c-text-bg-pink] This data can be used to disrupt the Indian share market. It’s a gold mine for malicious attackers looking to spread misinformation to manipulate Indian share markets. There are malicious actors always actively trying to spread misinformation to manipulate markets, but reaching the real investors (essentially, the new investors who are more vulnerable to misinformation) also including high-net-worth investors is a hurdle, but with access to such data of investors, they can disrupt and manipulate the share markets much more efficiently. This data can also be used by enemy countries to disrupt Indian markets.
[.c-text-bg-pink]4.[.c-text-bg-pink] People commonly use the type of information been exposed here as their passwords and security questions to services. That’s why it can also lead to people’s social media, emails, and other accounts being hacked by malicious attackers using their information from this expose.
[.c-text-bg-pink]5.[.c-text-bg-pink] Such sensitive personal and financial data expose of massive numbers of people easily leads to things like financial fraud, identity theft, and exposing people to things like extortion, targeted attacks against people, etc. An attacker can also possibly use this sensitive information to attack investors Demat accounts that hold mutual funds, equity shares, etc. The type of data being exposed is also used for secret questions for multiple services like net banking and verification on call for executing trades on many brokers.
[.c-text-bg-pink]For years,[.c-text-bg-pink] governments have been imposing hefty fines on companies for exposing and leaking customer data worldwide. But in India, there has not been any such significant example. Under the GDPR law of the European Union, even when a company clearly didn’t take reasonable security steps to secure sensitive data, the companies got hefty fines.
Some prominent past incidents of such fines:
[.c-row-flex][.c-box-pink]“In July 2019, Equifax settled a lawsuit stemming from its 2017 data breach, which exposed the personal information of 147 million people. Under the settlement with the FTC, CFPB and state attorneys general, Equifax has agreed to spend up to $425 million to help people affected by the data breach.” — Source[.c-box-pink][.c-text-column][.c-text-column][.c-row-flex]
Under GDPR law, famously British Airways and Marriott have all received fines over €10,000,000 for GDPR violations where they exposed customer data and were fined for insufficient technical and organisational measures to ensure information security (similar to CDSL). You can see other fines made under GDPR privacy law for cyber security negligence here.
This was a case of sheer negligence by CDSL in securing sensitive client data. The vulnerability wasn’t highly complex for our team to discover. So does any malicious attacker who could’ve discovered it too and stolen all the data. We strongly suspect that the data might’ve already been stolen by malicious attackers. There is a need for a fair security audit of CDSL by the government.
[.c-box-wrapper][.c-box]“has in place a stringent policy and systems to ensure confidentiality of data.” — CDSL mentions on their website[.c-box][.c-box-wrapper]
[.c-box-wrapper][.c-box]Expose all of your sensitive data to the whole internet. — truth, in reality [.c-box][.c-box-wrapper]
The nature of the vulnerability here indicates extreme negligence in handling sensitive personal and financial data of people. And that is not something we expect from the largest Indian depository. They clearly do not stand on what they promise about the security and confidentiality of customer data.
The vulnerability is highly critical due to its massive impact, but the nature of vulnerability found here also indicates horrible security practices at CDSL. That’s why, from our vast experience in the security field, our researchers strongly suspect there might be more such critical security issues in CDSL — potentially resulting in people losing access to their holdings in their CDSL Demat account.
CDSL doesn’t even mention a way to contact their security team (if that even exists) to responsibly report security vulnerabilities. In contrast, most companies nowadays do mention such contact since it helps researchers quickly report security issues to companies.
After spending a few days and failing to find any security contact at CDSL, our team found some email addresses of “Overall Incharge” of “Information Technology” and “Audit and Compliance”. Even after days of sending them our detailed report explaining the vulnerability and its impact, we haven’t got a single reply from them.
After spending a few days and failing to find any security contact at CDSL, we reported through the Government of India’s CERT-In and NCIIPC, which coordinates responsible disclosure of critical vulnerabilities in India.
[.c-box-wrapper][.c-box]What could’ve taken a maximum of 2 hours, took more than 7 days for CDSL to secure their systems to stop the exposure of data of ~4.39 crore people[.c-box][.c-box-wrapper]
CDSL exposes sensitive data of ~4.39 crore people to the whole internet. Don’t have a proper way to report the security issue. Doesn’t reply. Keeps the sensitive data being exposed and put ~4.39 crore people at risk for more than 7 days even after becoming aware of the issue.
CDSL finally fixed the vulnerability around on 26th October 2021 after pressure from CERT-In and NCIIPC, and when journalists started to contact them for comment about our finding.
Below is our timeline of communication with both CERT-In and NCIIPC.
19th Oct 2021: Reported to CERT-In
20th Oct 2021: They first responded the next day of our email, asking for a screenshot of the exposed data, which we provided without any delay. However, it was unusual to wait for a screenshot before CERT-In started urging CDSL to fix the issue since all technical details were already in our report.
20th Oct 2021: They replied later with:
[.c-box-wrapper][.c-box]“Thank you for reporting this incident to CERT-In. We have registered your complaint/incident under CERTIn-79577321. We are in process of taking appropriate action with the concerned authority.”[.c-box][.c-box-wrapper]
25th Oct 2021: After confirming that the issue was still unfixed, we emailed CERT-In again to let them know and request to escalate this immediately.
25th Oct 2021: CERT-In replied: “We are in the process of taking action with the appropriate authority.”
19th Oct 2021: Reported to NCIIPC
20th Oct 2021: They replied to us:
[.c-box-wrapper][.c-box]“1. We acknowledge the issue reported by you. 2. We are in the process of verification and remediation in coordination with the respective stakeholder(s) and look forward to your continued contribution.”[.c-box-wrapper][.c-box]
25th Oct 2021: After confirming that the issue was still unfixed, we emailed NCIIPC again to let them know and request to escalate this immediately.
— No response received till today after that —
Ministry of Finance and SEBI, which regulates CDSL, should order a fair, thorough security audit of CDSL. To discover any past incidents when and how much data CDSL has leaked of its customers. It’s a big issue if the nation’s biggest securities depository has such a poor cyber security posture and handles sensitive customer data with such negligence.
CDSL should itself also get comprehensive security testing done of its applications to check for more vulnerabilities.
We strongly recommend companies not to take cyber security as an optional thing but as one of the most important things to do. All companies should do regular security testing of their applications to avoid such security vulnerabilities. Especially companies like CDSL, which handles massive amounts of sensitive and confidential data of millions of people, should have continuous security testing of their applications done by skilled security engineers.
Subscribe to our newsletter to get our upcoming findings in your inbox!
Press: for any questions or request of evidence relating to this finding, feel free to contact us at firstname.lastname@example.org
We won't spam you but only send content you'll like and you can unsubscribe anytime.