Security News

India's government last week released a draft telco law that defines all over-the-top services as telecoms providers and therefore makes them subject to the same regulations imposed on carriers. The draft Indian Telecommunication Bill, 2022 [PDF] defines a telecommunications service as including "Broadcasting services, electronic mail, voice mail, voice, video and data communication services" delivered over fixed or mobile networks.

Akasa Air, India's newest commercial airline, exposed the personal data belonging to its customers that the company blamed on a technical configuration error. The bug was identified on August 7, 2022, the same day the low-cost airline commenced its operations in the country.

The government of India has scrapped the Personal Data Protection Bill it's worked on for three years, and announced it will - eventually - unveil a superior bill. The bill, proposed in 2019, would have enabled the government to gather user data from companies while regulating cross-border data flows.

Google has brought its Street View service - which offers photographs of most locations on Google Maps - back to India, six years after the nation rejected it as an invasion of privacy and a threat to national security. India blocked Street View in 2016 due to national security authorities feeling that freely available photography could assist terrorists.

India's Ministry of Electronics and Information Technology and the local Computer Emergency Response Team have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India.

From Radware, a hacktivist group called DragonForce Malaysia, "With the assistance of several other threat groups, has begun indiscriminately scanning, defacing and launching denial-of-service attacks against numerous websites in India." In addition to DDoS, their targeted campaign - dubbed "OpsPatuk" - involves advanced threat actors "Leveraging current exploits, breaching networks and leaking data." DragonForce Malaysia - best known for their hacktivism in support of the Palestinian cause - have turned their attention on India this time, in response to a controversial comment made by a Hindu political spokesperson about the Prophet Mohammed.

Surfshark announced today they are shutting down its VPN services in India in response to the new requirements in the country that demand all providers to keep customer logs for 180 days. VPN services aim to provide privacy to internet users by encrypting their network traffic and hiding their actual IP addresses behind those assigned to servers hosted at providers worldwide.

Virtual Private Network provider ExpressVPN on Thursday announced that it's removing Indian-based VPN servers in response to a new cybersecurity directive issued by the Indian Computer Emergency Response Team. "Rest assured, our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India," the company said.

Virtual private network operator ExpressVPN will pull its servers from India, citing the impossibility of complying with the nation's incoming requirement to record users' identities and activities. ExpressVPN offers software that routes traffic through servers that load their operating systems entirely into RAM and therefore leave no trace of users' activities on persistent media.

Eleven significant tech-aligned industry associations from around the world have reportedly written to India's Computer Emergency Response Team to call for revision of the nation's new infosec reporting and data retention rules, which they criticise as inconsistent, onerous, unlikely to improve security within India, and possibly harmful to the nations economy. The rules were introduced in late April and are extraordinarily broad. For example, operators of datacenters, clouds, and VPNs, are required to register customers' names, dates on which services were used, and even customer IP addresses, and store that data for five years.