Indian government retreats from spy app mandate

'Tis the season to be generous. Please support Metacurity in our mission to end infosec news overload.

Metacurity is a pure labor of love and is the only daily newsletter that delivers the critical infosec developments you need to know, scanned from thousands of sources and smartly summarized.

But to continue delivering our daily updates, we need your support. Please consider upgrading to an annual paid subscription today.

If you can't upgrade to a paid subscription today, please consider donating what you can.

India sought to address concerns that its mandate to pre-install a cybersecurity app on mobile phones could invade privacy or enable surveillance, saying individuals can remove the software from devices.

In a Nov. 28 directive, the Ministry of Communications asked phone makers and importers to pre-install the Sanchar Saathi app, which is aimed at curbing cyber fraud. The order instructed firms to ensure the app is readily accessible and “that its functionalities are not disabled or restricted.”

“If you don’t want Sanchar Saathi, you can delete it,” Communications Minister Jyotiraditya Scindia said in a statement. “It is optional.”

The government’s order to require the app on mobile phones had sparked an uproar. Opposition Congress party leader Mallikarjun Kharge said in a Tuesday post on X, the move would lead to “snooping, surveilling, scanning and peeping,” calling it “akin to dictatorship.” (Shruti Srivastava / Bloomberg)

Related: India Press Information, Reuters, Reuters, 9to5Mac, The Indian Express, BMI, Ars Technica, eSecurity Planet, Internet Freedom Foundation, NDTV Profit, UPI, Press Trust of India, The Hindu, Asia Financial, DAILYSABAH, The New Indian Express, Mobile Europe, NYT > Cybersecurity, WebProNews, MediaNama, The Guardian, Macworld, iClarified, The420CyberNews, The New Indian Express, Devdiscourse News Desk, Tech-Economic Times, Business Standard, Techlusive, Reuters, Financial Times

The Department of Justice announced the dismantling of a website used by a scam center in Myanmar to siphon thousands of dollars from multiple victims.

An affidavit filed this week supported the domain seizure of tickmilleas.com — a spoof of the legitimate forex and commodities trading platform TickMill.

The recently created Scam Center Strike Force tracked the fake website back to the prominent Tai Chang scam compound in Kyaukhat, Myanmar. This is the third domain taken down by US officials in connection with the Tai Chang scam compound, which international law enforcement agencies raided three weeks ago.

The scammers used the fictitious TickMill domain to trick victims into depositing funds. The FBI said several victims used the domain and told agents that they were shown lucrative returns on what they thought were legitimate investments.

Victims were shown alleged deposits made by scammers into their accounts as proof that their money was growing on the platform.

“Despite the seized domains having been registered in early November 2025, the FBI has already identified multiple victims who used the domain in the last month to send cryptocurrency as part of what they believed were legitimate investments and were scammed out of their money,” the DOJ explained.

The domain also directed people to download apps allegedly connected to the website, and the FBI has notified Google and Apple of the fraudulent apps. Several of the apps were removed, according to the DOJ.

A law enforcement splash page has now been placed on the fake TickMill website. (Jonathan Greig / The Record)

Related: Justice Department, FBI, Cryptopolitan, Times of India

According to a Dec. 2 filing with the US Securities and Exchange Commission (SEC), two senior Coupang executives sold tens of millions of won worth of company stock shortly after a massive data breach occurred — but before the company acknowledged the incident — raising concerns about potential insider trading.

Gaurav Anand, Coupang’s chief financial officer, sold 75,350 shares on Nov. 10 at US$29.0195 each, totaling roughly US$2.19 million (about 3.2 billion won).

Pranam Kholari, a former senior vice president overseeing search and recommendations, also sold 27,388 shares on Nov. 17 for about US$772,000 (1.13 billion won). Kholari resigned on Nov. 14.

Both transactions took place before Coupang publicly disclosed the scope of the breach, but after unauthorized access to user accounts had occurred — a timeline likely to intensify scrutiny over whether executives acted on nonpublic information.

Separately, Korea's Personal Information Protection Commission (PIPC) said that e-commerce giant Coupang did not properly notify its customers of its recent major data breach and demanded a corrected notification, specifying personal information “leak,” not an “exposure” of such data.
 
The data protection regulator decided during an emergency meeting after Coupang announced last week that the personal information of 33.7 million customers — including names, addresses, and phone numbers — had been compromised.

While Coupang notified affected users of the breach, the company merely described it as personal information being “exposed” when it had actually been “leaked,” according to the PIPC.

The regulator said that Coupang also partially omitted stating which kinds of data had been affected and announced the breach on its website for only one to two days.

It ordered the company to notify affected customers again of the leak; advise them of data protection measures, such as changing their passwords; reinspect steps to prevent harm to customers; then submit the results of the measures to the PIPC within one week. (Ashley Song / Korea Biz Wire and Yonhap News)

Related: KoreaJoongAng Daily, The Chosun Daily, The Investor, Maeil Business Newspaper, Korea Tech Desk, The Chosun Daily

Coupang CEO Park Dae-jun said his company will "proactively review" providing compensation to users affected by a recent data breach.

"We will proactively review (providing compensation) for the victims," Park said during a parliamentary session, responding to a question on whether the firm intends to cover damages for all affected users.

When asked about the schedule, Park said the company is still assessing the scope of damage, without offering more details.

Last week, the U.S.-listed e-commerce giant said the personal information of 33.7 million customers had been compromised, indicating that personal information, including names, phone numbers, email addresses, and delivery details for nearly all Coupang members, was affected. (Yonhap News)

Related: The Korea Herald, Maeil Business Newspaper

Another high-profile cyber incident has emerged in Korea, this time with major e-commerce platform Gmarket after reports of unauthorized mobile payments, officials said.

The Financial Supervisory Service (FSS) launched the inspection on Tuesday after more than 60 Gmarket users reported that their accounts were used for unauthorized payments last week, according to FSS officials and retail industry sources.

The incident is believed to have occurred when mobile gift certificates were purchased using credit cards registered with Gmarket's simple payment service, SmilePay. Individual losses ranged from 30,000 won ($20.44) to 200,000 won.

Gmarket has claimed the incident was not caused by hacking attacks but by fraudulent payments made using account information stolen externally, an FSS official said, adding that authorities are working to verify the company's explanation. (Yohnap News)

Related: Maeil Business Newspaper, Business Korea, The Chosun Daily

One month after a ransomware attack by threat group RansomHouse, Japanese office and household goods supplier Askul Corp. resumed order receipts on the internet from corporate clients under its “Askul” brand service.

Internet order receipts, which had been suspended for about one and a half months, restarted at 9 a.m. on Wednesday, 12/3, the company said. At the same time, the number of items available for purchase was expanded to more than 14.5 million.

During the suspension of the online service blamed for the ransomware attack Oct. 19, Askul received orders only through fax.

Meanwhile, its “Lohaco” e-commerce service for individual customers will be resumed after the complete restoration of the service for corporate clients. (Nippon.com)

Related: NHK

The University of Pennsylvania joined the growing number of victims of the widespread data theft and extortion campaign involving the Clop group’s exploitation of a zero-day vulnerability and other defects in Oracle E-Business Suite earlier this year.

The university filed a data breach notification in Maine, confirming nearly 1,500 Maine residents were affected by an intrusion into its Oracle EBS environment over a three-day period in early August.

The Ivy League school and dozens of other victims were not aware of the attack until Oracle acknowledged the critical vulnerability after members of the Clop ransomware group sent extortion emails to alleged victim organizations in late September. Attackers exploited multiple vulnerabilities to steal large amounts of data from several Oracle EBS customers in August, according to Mandiant.

The university said it determined some personal information was stolen from its Oracle EBS system on Nov. 11, but did not provide details about how many people were impacted and what type of data was stolen during the attack. (Matt Kapko / CyberScoop)

Related: Maine Attorney General, The Register, Bleeping Computer, SQ Magazine

IRU macOS security researcher Csaba Fitzl complained about reduced payments from discovered macOS flaws by Apple's bug bounty program, despite Apple raising the maximum for more high-profile rewards.

In October, Apple said that the payouts in its Security Bounty program will increase considerably in November. While the bounties for some high-profile exploit chains have grown to as high as $2 million, complaints are being raised about other awards for some macOS categories.

In a post on LinkedIn, Fitzl claims that the Apple Security Bounty "devalued" macOS. The devaluing is apparently demonstrated by the lowering of awards for disclosing some specific bypasses.

"Full TCC (privacy) bypasses are down from $30.5k to $5k," Fitzl writes, while other individual TCC categories are reduced from payouts between $5,000 and $10,000 to just $1,000.

Under the updated program, Apple will pay $1,000 if someone has physical access to a locked Apple device and can access one class of sensitive user data. An example is a logic bug on a Lock Screen to view the last edited note. (Malcolm Owen / AppleInsider)

Related: Csaba Fitzl on LinkedIn, WebProNews

According to a Federal Trade Commission (FTC) complaint, ed tech company Illuminate publicly claimed to protect student information with strong security controls but instead stored data in plain text until at least January 2022, maintained weak access controls, and failed to monitor or patch vulnerabilities, even after a third-party vendor flagged numerous issues in early 2020.

After cyber incidents exposed student and educator data, including names, dates of birth, emails, and disciplinary information, the complaint said Illuminate delayed breach notifications to impacted school districts for months, despite promising to notify them in a matter of days. For some districts, Illuminate allegedly withheld breach notifications for nearly two years.

Under a proposed order,  the company would be permanently banned from misrepresenting how it protects student information or how quickly it will notify districts and families of breaches. Within 90 days of the order’s effective date, Illuminate must delete or destroy all student and educator data collected through its products — including academic records and personal information — that are not necessary for contracted services, and enumerate exactly what was removed in a written statement to the FTC.

Illuminate would also need to publish a clear retention schedule on its website explaining the purpose of collecting different categories of information, such as identifiers, demographic data, academic records, or health details. The schedule must also include the business justification for retaining information and specific timelines for deletion.

The order also requires Illuminate to implement a comprehensive security program within 90 days. (Government Technology)

Related: FTC, The Record, SC Media, The Cyber Express, EdScoop, Bleeping Computer, The Register

As of this week, half of the states in the US are under restrictive age verification laws that require adults to hand over their biometric and personal identification to access legal porn.

Missouri became the 25th state to enact its own age verification law on Sunday. As it’s done in multiple other states, Pornhub and its network of sister sites—some of the largest adult content platforms in the world—pulled service in Missouri, replacing their homepages with a video of performer Cherie DeVille speaking about the privacy risks and chilling effects of age verification.

The other states include Louisiana, Utah, Mississippi, Virginia, Arkansas, Texas, Montana, North Carolina, Idaho, Kansas, Kentucky, Nebraska, Indiana, Alabama, Oklahoma, Florida, South Carolina, Tennessee, Georgia, Wyoming, South Dakota, North Dakota, Arizona, and Ohio. (Samantha Cole / 404 Media)

Related: KSDK-TV, Biometric Update, Android Headlines, TechRadar, r/technology

The Australian eSafety Commissioner announced that social media platforms must report monthly how many children’s accounts they close once Australia begins enforcing its 16-year age limit next week.

Facebook, Instagram, Kick, Reddit, Snapchat, Threads, TikTok, X, and YouTube would face fines of up to 50 million Australian dollars ($33 million) from Dec. 10 if they fail to take reasonable steps to remove accounts of Australian children younger than 16. Livestreaming service Twitch was added to the list of age-restricted platforms less than two weeks ago.

The Australian eSafety Commissioner will send the 10 platforms notices on Dec. 11 demanding information about the number of accounts removed. Monthly notices would follow for six months.

“The government recognizes that age assurance may require several days or weeks to complete fairly and accurately,” Communications Minister Anika Wells told the National Press Club of Australia. (Rod McGuirk / Associated Press)

Related: Reuters, BBC News, Biometric Update, The Guardian, Google, WinBuzzer, BBC, The Guardian, Crikey, Tech in Asia, 9News, Benzinga, iTnews, r/Australia, Dropsafe, Invezz, The420CyberNews

India’s Ministry of Civil Aviation has confirmed that multiple major airports, including Delhi, have experienced instances of GPS spoofing and GNSS interference, leading to temporary disruptions in flight operations and prompting heightened monitoring measures.

The Directorate General of Civil Aviation (DGCA) and Airports Authority of India (AAI) have initiated a thorough review and investigation.

In a written reply to the Rajya Sabha, Civil Aviation Minister Ram Mohan Naidu stated that aircraft operating near Delhi and other major airports have reported false or jammed GPS signals, which could potentially affect onboard navigation systems. (The 420 Correspondent)

Related: The Register, Dynamite News, ET Infra, Hindustan Times, The New Indian Express

Sources say the National Security Agency recently achieved its goals to shed around 2,000 people from its workforce this year.

The reductions include a mix of civilian employees who were terminated, voluntarily left, or took deferred resignation offers, where they agree to leave government service early while still being paid for a set time period.

The figure marks a historic staffing reduction for the spy agency, one of the largest in the US intelligence enterprise. It reflects months-long pressures from the second Trump administration to downsize the federal government and clean out alleged bloat and politicization in its spy offices. (David DiMolfetta / NextGov/FCW)

Related: DefenseOne, r/fednews

Check Point Software Technologies Ltd. is raising $1.5 billion from the sale of a five-year zero-coupon convertible bond, partly to help fund share buybacks.

The Tel Aviv-based cybersecurity firm is offering a 25% to 30% conversion premium on the bonds. It expects to price the offering after the market close on Wednesday, according to people familiar with the matter. Proceeds will go toward buying back as much as $225 million of stock, the company said in a statement.

Citigroup Inc., JPMorgan Chase & Co., and Morgan Stanley are managing the offering, the people said, asking not to be identified because they’re not authorized to speak publicly. (Bailey Lipschultz and Anthony Hughes / Bloomberg)

Related: Globe Newswire, Investing.com

Best Thing of the Day: Making Troublesome Cloud Security a Bit Better

To narrow the widening gap between the frequency of software releases and the ability of security teams to validate them, Amazon Web Services (AWS) announced a significant expansion of its automated security capabilities, including a new tool capable of performing context-aware penetration testing without human intervention.

Worst Thing of the Day: Waiting for Customers to Advise You of a Breach

Korea's Coupang didn't realize it had suffered a massive data breach that is now a national emergency until one of its customers told the retailer that he had received an email from a stranger with records of his email interactions with the company.

Bonus Worst Thing of the Day: Your Toilet is Taking Pictures of Your Poo and Bum

Plumbing manufacturer Koholer's $600-plus-monthly-subscription device that attaches to the rims of toilet seats and collects images and data from inside the toilet is capable of collecting these images despite the company's touted use of end-to-end encryption.

Closing Thought