On 24 June 2025, India’s Department of Telecommunications (DoT) released a draft amendment to Telecom Cyber Security Rules, 2024 introducing a centralised Mobile Number Validation (MNV) system aimed at combating the rising tide of mobile-related cyber fraud. The initiative is part of a broader set of cybersecurity measures intended to fortify digital infrastructure and reduce impersonation and scam incidents, particularly in sectors such as fintech, e-commerce, and government services.
The MNV platform proposed under the amended Telecommunications (Telecom Cyber Security) Rules, 2024, would allow banks, financial institutions, e-commerce platforms, and other authorised entities to verify mobile numbers in real time before executing high-risk transactions or onboarding new users. Entities designated as Telecommunication Identifier User Entities (TIUEs) will be able to validate whether a mobile number is currently active, recently ported, or newly issued. This validation mechanism is expected to improve fraud detection and risk mitigation, especially where phone-based OTP authentication or identity confirmation is used.
Key Elements of the Draft Policy
The DoT’s draft outlines a tiered pricing model:
- ₹1.50 per check for government-authorised TIUEs
- ₹3.00 per check for other verified entities
Validation will be facilitated through authorized access to telco databases, and the system is to be operated under the supervision of the Telecom Regulatory Authority of India (TRAI). Additionally, telcos would be required to maintain updated logs of number deactivations and changes, thereby strengthening traceability in suspected fraud cases.
The draft policy also proposes stricter obligations on telcos to:
- Flag numbers involved in frequent scam activity
- Share such flags with the central system
- Automatically deactivate and clean up such numbers after a 90-day monitoring period
These steps align with the goals of Digital India and broader public safety priorities, including curbing identity fraud and mobile SIM misuse.
Potential Privacy and Compliance Concerns
While the initiative has been largely welcomed as a long-overdue counter to digital fraud, privacy advocates have raised significant concerns. Under the current proposal, a wide range of private and government platforms including OTT services, messaging apps, and logistics companies, may be required to register as TIUEs, which could expand the scope of mobile number tracking beyond core telecom and financial services.
This raises important questions around:
- Proportionality of access to telecom subscriber data
- Data minimisation, particularly where mobile numbers are linked with Aadhaar or sensitive financial identifiers. Without strong limitations on how this data is collected, processed or shared, there is a heightened risk of profiling, unauthorised disclosure or downstream misuse especially in the absence of adequate encryption or masking protocols.
- Retention obligations for TIUEs in the absence of clear safeguards or oversight mechanisms. Long-term storage of mobile usage or validation data without clear necessity can run counter to the principle of purpose limitation and data minimisation as enshrined in the DPDPA. Further, without an independent audit or regulatory checks, the risk of surveillance creep increases substantially.
The policy does not yet clarify what redress mechanisms individuals may have if their numbers are incorrectly flagged or deactivated, nor does it specify how consent and notification obligations will be handled under India’s Digital Personal Data Protection Act (DPDPA), 2023.
Sectoral Implications and Next Steps
A pilot implementation has already begun with select banking institutions, with a broader rollout expected post-consultation. The public has been invited to submit feedback on the draft policy until 15 July 2025, after which the DoT is expected to finalise the framework in consultation with the Telecom Regulatory Authority of India (TRAI) and relevant sectoral regulators.
If implemented effectively, the MNV system could become a foundational element of India’s digital trust infrastructure, helping institutions assess fraud risk and comply with evolving KYC and telecom norms. However, its success will depend on the inclusion of clear accountability standards, privacy-by-design architecture, and transparency mechanisms to balance security needs with citizens’ fundamental rights.
Stay informed on India’s evolving digital regulatory landscape. For expert support on DPDPA compliance and cybersecurity risk assessments, visit www.tsaaro.com.
News of the week
1. Ransomware Locks Down Lucknow-Based Ad Firm
A Lucknow-based advertising company recently fell victim to a ransomware attack that left critical business data encrypted and systems inoperable. The attackers reportedly demanded ransom in exchange for restoring access. As a result, the company was forced to reset systems and rely on offline backups. Police are investigating potential phishing links or network vulnerabilities. This incident highlights the need for better endpoint protection and employee awareness training even in creative and media industries.
2. Apple to Pay $95M Over Siri Privacy Violations
Apple has agreed to a $95 million settlement in a class-action lawsuit that alleged its virtual assistant, Siri, recorded user conversations without consent. While Apple denies wrongdoing, the company is offering eligible U.S. users up to $20 per device involved. The case brought attention to how voice assistants can unintentionally gather sensitive audio data and the importance of clear user controls and privacy settings. Claims must be submitted by July 2, 2025.
3. Parking App Leak Exposes Data of 220,000+ Users in NYC
Manhattan Parking Group, which runs a major parking app in New York City, has suffered a data breach affecting over 220,000 users. The compromised data includes names, email addresses, vehicle plate numbers, parking locations, and contact information. Although no financial or payment data was involved, the leak raises significant privacy concerns, especially for users who may now be vulnerable to location-based phishing scams or social engineering attacks.
