Indian securities depository exposed 44 million investors’ personal info – twice

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Indian infosec consultancy CyberX9 claims it twice found records of 43.9 million shareholders exposed by systems operated by Central Depository Services Limited (CDSL) – and that the depository company responded slowly to its alerts of significant vulnerabilities.

CDSL bills itself as a crucial player in India’s financial markets. It serves exchanges, investors, and issuers with depository services – electronic records of investors and their shareholdings. The company claims to have almost a million customers.

CyberX9 has alleged that CDSL exposed data describing even more customers, with full names, tax department ID numbers, marital status, date of birth, nationality, residential address, email address, occupation details, and even the names of spouses and parents leaked.

The security consultancy hasn’t detailed how the records were exposed, describing the situation as “a case of sheer negligence by CDSL in securing sensitive client data”.

“The vulnerability wasn’t highly complex for our team to discover,” states CyberX9’s initial post.

A subsequent post detailing a second data

Read the article