wordpress blog stats
Connect with us

Hi, what are you looking for?

Finance Ministry identifies weak link in CDSL that put sensitive data of investors at risk

The ministry’s answer in parliament revealed new details about a critical flaw at India’s largest securities depository.  

“…the web portal of CVL is vulnerable to Insecure Direct Object References. It was initially observed that on the login page of CVL, there was a possibility of getting access to the details of another user by changing the reference ID of the user,” the Ministry of Finance wrote in response to a question by Indian National Congress MP Manish Tewari in the winter session of Lok Sabha. The ministry also shed light on how the vulnerability was fixed “by encrypting the reference ID, the reply added.

The Central Depository Services Limited (CDSL) is one of the two SEBI-regulated depositories that hold securities like shares, mutual funds, and bonds in electronic format. Nearly 600 stockbrokers who collectively have over 4 crore investor accounts are associated with CDSL. CDSL Ventures (CVL) is a government-approved KYC registration agency owned by CDSL.

A second vulnerability was found in CVL which was promptly fixed by the firm and the same was conveyed to the Indian Computer Emergency Response Team (CERT-In). The ministry also revealed that a forensic audit of CVL was conducted at the direction of the Securities and Exchange Board of India (SEBI).

The ministry clarified that “there was no authorization vulnerability in any of the Application Programming Interfaces (APIs) and/or website of Central Depository Services Ltd. (CDSL)”.

Advertisement. Scroll to continue reading.

It is the first time that a vulnerability has been acknowledged by the government in critical infrastructure such as an agency that holds the data of lakhs of investors.

Why was this question raised in the Parliament?

It all started when a cybersecurity firm CyberX9 reported that CDSL, India’s largest securities depository, had exposed sensitive data of around 4.39 crore investors on November 8.

“We strongly suspect that the data might’ve already been stolen by malicious attackers,” CyberX9 had said then.

What personal and financial data were exposed?

CyberX9 reported that the exposed data includes sensitive personal details like:

  • Full name
  • Complete PAN No
  • Gender
  • Marital status
  • Father/spouse’s full name
  • Complete Date of Birth
  • Nationality
  • Complete residential address
  • Complete permanent address
  • Contact number(s)
  • Email address
  • Occupation details.

And financial details like:

  • Amount of annual income tax return filed
  • Net worth (along with the date on which it was updated)
  • Demat account number
  • Broker name
  • CDSL Client ID

Also read:

Have something to add? Subscribe to MediaNama here and post your comment. 

Advertisement. Scroll to continue reading.
Written By

I cover several beats such as crypto, telecom, and OTT at MediaNama. I will be loitering at my local theatre and consuming movies by the dozen when I am off work.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ