Indian securities depository exposed 44 million investors' personal info – twice

2021-11-09 04:58

Indian infosec consultancy CyberX9 claims it twice found records of 43.9 million shareholders exposed by systems operated by Central Depository Services Limited - and that the depository company responded slowly to its alerts of significant vulnerabilities.

CyberX9 has alleged that CDSL exposed data describing even more customers, with full names, tax department ID numbers, marital status, date of birth, nationality, residential address, email address, occupation details, and even the names of spouses and parents leaked.

The security consultancy hasn't detailed how the records were exposed, describing the situation as "a case of sheer negligence by CDSL in securing sensitive client data".

The security firm also offers a timeline of its disclosures to CDSL, alleging that the depository firm does not advertise a contact for infosec issues and did not respond to CyberX9's first notification for seven days.

CDSL told Indian media that the vulnerabilities were present in its website, and that it acted promptly upon receiving notifications from CyberX9.

CyberX9 has called for an independent audit of CDSL's systems and infosec practices and warned customers that the simplicity of the work required to exploit the vulnerabilities means they should assume their data was accessed and look out for phishing and other scams made easier by the wealth of data on offer.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/11/09/cdsl_data_leak/

#indian