CDSL data breach: Indian depositories and the data mine they sit on

The Central Depository Services Limited (CDSL), which is one of the two key depositories of India and also the largest in terms of the number of investor accounts, is in the news for an alleged data breach at its subsidiary CDSL Ventures Limited (CVL), which is believed to have compromised the information of more than four crore investor accounts.

CVL is a KYC (Know Your Client) Registration Agency registered with the Securities and Exchange Board of India (SEBI) and maintains the KYC details of investors. There are a total of five registered KRAs in India, as per data on the SEBI website.

While a data breach is always dangerous as vital information is leaked and exposed to hackers, a breach at the depository or a KRA is all the more dangerous because of the sensitive information that depositories hold.

Depositories are one of the most important intermediaries of the capital market and are rightly termed Market Infrastructure Institutions or MIIs in regulatory parlance. Their role is no less important than that of the stock exchange, which facilitates trading or the clearing corporations, which clear such trades.

Depositories are the entities that actually store the financial securities -- shares, bonds or mutual funds -- in demat form or in a paperless way. Physical or paper share certificates are no longer allowed and hence all the shares are now stored in dematerialised -- or demat in market parlance -- form.

More importantly, a KRA like CVL has all the more information stored with it as the whole KYC data is in its database. Details regarding PAN, address, email ID, bank accounts, date of birth and gender etc are also captured and stored in the depository and KRA database. And, that's the reason why a data breach at a depository or a KRA could have far-reaching consequences.

While CDSL has nearly 4.7 crore investor accounts registered with it, NSDL has 2.42 active investor accounts. Further, CDSL has seen the number of active accounts register a growth of nearly 84 per cent during the last 12 months ended October 2021.

According to reports, cyber security consultancy start-up CyberX9 has alleged that a vulnerability at CVL has exposed the financial and personal data of more than four crore investors twice in a period of 10 days.

CVL, on its part, has said it has fixed the vulnerability and also taken steps to mitigate any other potential security issues.

Also read: Info of 4.39 cr investors exposed twice within 10 days due to data breach at CDSL's KYC arm: CyberX9