Text size:
New Delhi: A team of cybersecurity researchers claims to have discovered a vulnerability in the servers of Central Depository Services Limited (CDSL), India’s largest depository system that manages demat accounts for millions of investors.
CDSL, a government registered equity custodian, manages investor accounts traded on the Bombay Stock Exchange (BSE), National Stock Exchange (NSE), and other exchanges.
According to cybersecurity researchers at CyberX9, a Chandigarh-based company, CDSL’s system vulnerability exposed the sensitive personal and financial data of approximately 4.39 million investors on whom CDSL has performed a Know Your Customer / Client (KYC) transaction since 2005.
The team said those exposed included investors with a net worth of over Rs 1,000 crore.
CyberX9 founder and CEO Himanshu Pathak called the data “exposed” in the CDSL vulnerability a “virtual gold mine” for phishers, crooks and “malicious attackers seeking to spread disinformation to manipulate Indian stock markets â.

According to Pathak, the data was exposed due to a vulnerability in a subsidiary of CDSL, CDSL Ventures Limited (CVL). âThe nature of the vulnerability here indicates extreme neglect in handling people’s sensitive personal and financial data. And that’s not something we expect from one of India’s biggest custodians, âPathak added.
However, a statement from CDSL in response to an email from ThePrint sent on October 27 indicated that there was no breach, but that a vulnerability was found and addressed. âCDSL would like to point out that there have been no security issues or data breaches at CDSL. However, CVL received a vulnerability alert on the CVL website, which has since been mitigated. There has been no data breach at CVL.
Pathak, however, claimed the vulnerability was patched just days after the issue was reported to CDSL and two government entities, CERT-In (Indian Computer Emergency Response Team) and NCIIPC (National Critical Information Infrastructure Protection Center). .
He said CyberX9 discovered the vulnerability on October 4 but could not find the relevant security contact for CDSL until about two weeks later. He emailed CDSL, CERT-In and NCIIPC regarding the vulnerability on October 19.
Pathak said he received no response from CDSL, but shared with ThePrint email screenshots of the correspondence he received from CERT-In and NCIIPC.
CERT-In responded to CyberX9 twice on October 20, asking Pathak for screenshots to help validate the vulnerability, then saying again that CERT-In is “taking appropriate action with authority. concerned “.

The NCIIPC had emailed Pathak the same day, acknowledging the vulnerability and saying it was working to verify and resolve the issue.

ThePrint emailed CERT-In and NCIIPC on October 27 regarding the vulnerability, but received no response until this report was released.
Pathak claimed that even after these emails, the issue was not resolved. âOur team has confirmed and has evidence that the vulnerability was still not patchedâ around 8 p.m. on October 25, he said.
“CDSL, CERT-In and NCIIPC have been extremely slow” to resolve a “critical security issue,” he added.
Pathak further claimed that an “immediate fix for the vulnerability could have been completed in a maximum of two hours.”
Read also : Technological crackdown is not new to the United States, Russia and China. We need a new agreement between the internet and the government
What is CDSL?
CDSL is one of the only two deposit systems in the country manage millions of investor accounts, the other being the National Securities Depository Limited (NSDL).
Whenever you buy stocks on the Bombay Stock Exchange, you do so through a brokerage firm. But the stock broker is just a middleman and the account with all your shares is actually stored with CDSL. Such an account is called a âdematerializedâ or demat account because your stock market shares are virtual.
CDSL is currently the largest custodian in India by number of active mat accounts.
How severe was the vulnerability?
The Commercial standard had, on October 19, reported an issue with CDSL that prevented investors from selling their shares. The CDSL portal used to authorize the sale of shares was not functioning.
Pathak, however, clarified that the issue reported by Commercial standard is not directly related to the vulnerability discovered by his company.
He claimed that the vulnerability discovered by CyberX9 exposed 19 types of data for each investor. This includes the amount deposited as annual income tax; net value; details of occupation; mat account number; name of broker; CDSL client ID; the full name of the individual investor; PAN number; kind; marital status; name of father / spouse; Date of Birth; Nationality; residential address; Permanent address; e-mail address; Contact number; and even the date and number of request to open a demat account.
Pathak added that the data was exposed due to a vulnerability in an application programming interface (API) used by CVL.
An API is software that sits between two computer applications. The two computer applications will use the API to send and receive data from each other.
CVL is a service set up to perform investor identity verification through KYC processes.
CVL, according to Pathak, “exposes all KYC data of anyone who has gone through the CDSL KYC process.”
An API used by CVL to communicate and receive data from the main CDSL computer server has a vulnerability that allows anyone with sufficient technical know-how to use this API to bypass the need for appropriate authorization to access sensitive data investors, Pathak said.
Independent tech researcher Srikanth, without knowing full details of the alleged data breach, said some companies lacked the manpower to monitor API usage.
âAuthorization loopholes in India typically relate to access credentials exposed to APIs available on the Internet, with which anyone can access and query the data behind the API,â he said. âMature organizations monitor API usage patterns and detect anomalies. However, most legacy organizations or non-native tech companies don’t have people, processes, technology to detect (anomalies) and data security is left to reporting vulnerabilities, âhe said.
Read also : Don’t like your Twitter followers? Now you can delete the ones you don’t want
What is CyberX9?
According to Pathak, CyberX9 has 15 senior cybersecurity experts based around the world and has been working for nearly three years in “stealth mode for Fortune 500 companies, law enforcement and high net worth individuals around the world.”
Pathak once founded a political consultancy firm, Get Known, and is a politician who was a founding member of the Aam Aadmi party, which later joined Congress.
Pathak said he is now making the identity of the CyberX9 company “more public”. The Twitter Profile for CyberX9 says it “protects against a wide range of cyberattacks, whether you are a business or a high net worth individual”.
(Edited by Arun Prashanth)
(The Bombay Stock Exchange emailed ThePrint after the publication of this report to clarify that CDSL not only manages accounts linked to it, but also other exchanges like NSE. The report has been updated. to reflect this.)
Read also : We need more chips – why the world is facing a semiconductor crisis and how customers are suffering
Subscribe to our channels on Youtube & Telegram
Why the news media is in crisis and how to fix it
India needs free, fair, uninhibited and questioning journalism even more as it faces multiple crises.
But the news media are in a crisis of their own. There have been brutal layoffs and pay cuts. The best of journalism is shrinking, giving in to crass spectacle in prime time.
ThePrint employs the best young reporters, columnists and editors. To maintain journalism of this quality, it takes smart, thoughtful people like you to pay the price. Whether you live in India or abroad, you can do it here.
Support our journalism