#FactCheck - "Deepfake Video Falsely Claims Justin Trudeau Endorses Investment Project”

Introduction

India's National Commission for Protection of Child Rights (NCPCR) is set to approach the Ministry of Electronics and Information Technology (MeitY) to recommend mandating a KYC-based system for verifying children's age under the Digital Personal Data Protection (DPDP) Act. The decision to approach or send recommendations to MeitY was taken by NCPCR in a closed-door meeting held on August 13 with social media entities. In the meeting, NCPCR emphasised proposing a KYC-based age verification mechanism. In this background, Section 9 of the Digital Personal Data Protection Act, 2023 defines a child as someone below the age of 18, and Section 9 mandates that such children have to be verified and parental consent will be required before processing their personal data.

Requirement of Verifiable Consent Under Section 9 of DPDP Act

Regarding the processing of children's personal data, Section 9 of the DPDP Act, 2023, provides that for children below 18 years of age, consent from parents/legal guardians is required. The Data Fiduciary shall, before processing any personal data of a child or a person with a disability who has a lawful guardian, obtain verifiable consent from the parent or lawful guardian. Additionally, behavioural monitoring or targeted advertising directed at children is prohibited. 

Ongoing debate on Method to obtain Verifiable Consent

Section 9 of the DPDP Act gives parents or lawful guardians more control over their children's data and privacy, and it empowers them to make decisions about how to manage their children's online activities/permissions. However, obtaining such verifiable consent from the parent or legal guardian presents a quandary. It was expected that the upcoming 'DPDP rules,' which have yet to be notified by the Central Government, would shed light on the procedure of obtaining such verifiable consent from a parent or lawful guardian.

However, In the meeting held on 18th July 2024, between MeitY and social media companies to discuss the upcoming Digital Personal Data Protection Rules (DPDP Rules), MeitY stated that it may not intend to prescribe a ‘specific mechanism’ for Data Fiduciaries to verify parental consent for minors using digital services. MeitY instead emphasised obligations put forth on the data fiduciary under section 8(4) of the DPDP Act to implement “appropriate technical and organisational measures” to ensure effective observance of the provisions contained under this act. 

In a recent update, MeitY held a review meeting on DPDP rules, where they focused on a method for determining children's ages. It was reported that the ministry is making a few more revisions before releasing the guidelines for public input.

CyberPeace Policy Outlook

CyberPeace in its policy recommendations paper published last month, (available here) also advised obtaining verifiable parental consent through methods such as Government Issued ID, integration of parental consent at ‘entry points’ like app stores,  obtaining consent through consent forms, or drawing attention from foreign laws such as California Privacy Law, COPPA, and developing child-friendly SIMs for enhanced child privacy.

CyberPeace in its policy paper also emphasised that when deciding the method to obtain verifiable consent, the respective platforms need to be aligned with the fact that verifiable age verification must be done without compromising user privacy. Balancing user privacy is a question of both technological capabilities and ethical considerations. 

DPDP Act is a brand new framework for protecting digital personal data and also puts forth certain obligations on Data Fiduciaries and provides certain rights to Data Principal. With upcoming ‘DPDP Rules’ which are expected to be notified soon, will define the detailed procedure for the implementation of the provisions of the Act. MeitY is refining the DPDP rules before they come out for public consultation. The approach of NCPCR is aimed at ensuring child safety in this digital era. We hope that MeitY comes up with a sound mechanism for obtaining verifiable consent from parents/lawful guardians after taking due consideration to recommendations put forth by various stakeholders, expert organisations and concerned authorities such as NCPCR. 

References

1. https://www.moneycontrol.com/technology/dpdp-rules-ncpcr-to-recommend-meity-to-bring-in-kyc-based-age-verification-for-children-article-12801563.html
2. https://pune.news/government/ncpcr-pushes-for-kyc-based-age-verification-in-digital-data-protection-a-new-era-for-child-safety-215989/#:~:text=During%20this%20meeting%2C%20NCPCR%20issued,consent%20before%20processing%20their%20data
3. https://www.hindustantimes.com/india-news/ncpcr-likely-to-seek-clause-for-parents-consent-under-data-protection-rules-101724180521788.html
4. https://www.drishtiias.com/daily-updates/daily-news-analysis/dpdp-act-2023-and-the-isssue-of-parental-consent

‍

Introduction

In today’s time, everything is online, and the world is interconnected. Cases of data breaches and cyberattacks have been a reality for various organisations and industries, In the recent case (of SAS), Scandinavian Airlines experienced a cyberattack that resulted in the exposure of customer details, highlighting the critical importance of preventing customer privacy. The incident is a wake-up call for Airlines and businesses to evaluate their cyber security measures and learn valuable lessons to safeguard customers’ data. In this blog, we will explore the incident and discuss the strategies for protecting customers’ privacy in this age of digitalisation.

Analysing the backdrop

The incident has been a shocker for the aviation industry, SAS Scandinavian Airlines has been a victim of a cyberattack that compromised consumer data. Let’s understand the motive of cyber crooks and the technique they used :

Motive Behind the Attack: Understanding the reasons that may have driven the criminals is critical to comprehending the context of the Scandinavian Airlines cyber assault. Financial gain, geopolitical conflicts, activism, or personal vendettas are common motivators for cybercriminals. Identifying the purpose of the assault can provide insight into the attacker’s aims and the possible impact on both the targeted organisation and its consumers. Understanding the attack vector and strategies used by cyber attackers reveals the amount of complexity and possible weaknesses in an organisation’s cybersecurity defences. Scandinavian Airlines’ cyber assault might have included phishing, spyware, ransomware, or exploiting software weaknesses. Analysing these tactics allows organisations to strengthen their security against similar assaults.

Impact on Victims: The Scandinavian Airlines (SAS) cyber attack victims, including customers and individuals related to the company, have suffered substantial consequences. Data breaches and cyber-attack have serious consequences due to the leak of personal information.

1)Financial Losses and Fraudulent Activities: One of the most immediate and upsetting consequences of a cyber assault is the possibility of financial loss. Exposed personal information, such as credit card numbers, can be used by hackers to carry out illegal activities such as unauthorised transactions and identity theft. Victims may experience financial difficulties and the need to spend time and money resolving these concerns.

2)Concerns about privacy and personal security: A breach of personal data can significantly impact the privacy and personal security of victims. The disclosed information, including names, addresses, and contact information, might be exploited for nefarious reasons, such as targeted phishing or physical harassment. Victims may have increased anxiety about their safety and privacy, which can interrupt their everyday life and create mental pain.

3) Reputational Damage and Trust Issues: The cyber attack may cause reputational harm to persons linked with Scandinavian Airlines, such as workers or partners. The breach may diminish consumers’ and stakeholders’ faith in the organisation, leading to a bad view of its capacity to protect personal information. This lack of trust might have long-term consequences for the impacted people’s professional and personal relationships.

4) Emotional Stress and Psychological Impact: The psychological impact of a cyber assault can be severe. Fear, worry, and a sense of violation induced by having personal information exposed can create emotional stress and psychological suffering. Victims may experience emotions of vulnerability, loss of control, and distrust toward digital platforms, potentially harming their overall quality of life.

5) Time and Effort Required for Remediation: Addressing the repercussions of a cyber assault demands significant time and effort from the victims. They may need to call financial institutions, reset passwords, monitor accounts for unusual activity, and use credit monitoring services. Resolving the consequences of a data breach may be a difficult and time-consuming process, adding stress and inconvenience to the victims’ lives.

6) Secondary Impacts: The impacts of an online attack could continue beyond the immediate implications. Future repercussions for victims may include trouble acquiring credit or insurance, difficulties finding future work, and continuous worry about exploiting their personal information. These secondary effects can seriously affect victims’ financial and general well-being.

Apart from this, the trust lost would take time to rebuild.

Takeaways from this attack

The cyber-attack on Scandinavian Airlines (SAS) is a sharp reminder of cybercrime’s ever-present and increasing menace. This event provides crucial insights that businesses and people may use to strengthen cybersecurity defences. In the lessons that were learned from the Scandinavian Airlines cyber assault and examine the steps that may be taken to improve cybersecurity and reduce future risks. Some of the key points that can be considered are as follows:

Proactive Risk Assessment and Vulnerability Management: The cyber assault on Scandinavian Airlines emphasises the significance of regular risk assessments and vulnerability management. Organisations must proactively identify and fix possible system and network vulnerabilities. Regular security audits, penetration testing, and vulnerability assessments can help identify flaws before bad actors exploit them.

Strong security measures and best practices: To guard against cyber attacks, it is necessary to implement effective security measures and follow cybersecurity best practices. Lessons from the Scandinavian Airlines cyber assault emphasise the importance of effective firewalls, up-to-date antivirus software, secure setups, frequent software patching, and strong password rules. Using multi-factor authentication and encryption technologies for sensitive data can also considerably improve security.

Employee Training and Awareness: Human mistake is frequently a big component in cyber assaults. Organisations should prioritise employee training and awareness programs to educate employees about phishing schemes, social engineering methods, and safe internet practices. Employees may become the first line of defence against possible attacks by cultivating a culture of cybersecurity awareness.

Data Protection and Privacy Measures: Protecting consumer data should be a key priority for businesses. Lessons from the Scandinavian Airlines cyber assault emphasise the significance of having effective data protection measures, such as encryption and access limits. Adhering to data privacy standards and maintaining safe data storage and transfer can reduce the risks connected with data breaches.

Collaboration and Information Sharing: The Scandinavian Airlines cyber assault emphasises the need for collaboration and information sharing among the cybersecurity community. Organisations should actively share threat intelligence, cooperate with industry partners, and stay current on developing cyber threats. Sharing information and experiences can help to build the collective defence against cybercrime.

Conclusion

The Scandinavian Airlines cyber assault is a reminder that cybersecurity must be a key concern for organisations and people. Organisations may improve their cybersecurity safeguards, proactively discover vulnerabilities, and respond effectively to prospective attacks by learning from this occurrence and adopting the lessons learned. Building a strong cybersecurity culture, frequently upgrading security practices, and encouraging cooperation within the cybersecurity community are all critical steps toward a more robust digital world. We may aim to keep one step ahead of thieves and preserve our important information assets by constantly monitoring and taking proactive actions.

Introduction
‍

In April 2026, Anthropic revealed Claude Mythos, an artificial intelligence application capable of finding security flaws in computer networks more effectively than human beings. The corporation claimed to have found hundreds of thousands of substantially serious vulnerabilities in established desktop operating systems and web-based browsers that have not been used for at least 20 years. This news has greatly alarmed those responsible for leading financial organisations, banks, and governments throughout the world. Nevertheless, this news demonstrates a much larger problem: we do not have enough cybersecurity professionals trained to do this kind of work. At the current estimate, there are 4.8 million cyber security professionals short of what is needed globally. There is a need to develop different kinds of workforce training programs to help prepare these professionals as we continue to see the emergence of new AI technologies.

‍

What Is Claude Mythos ?
‍

Anthropic created Claude Mythos as part of its Claude AI system, competing against ChatGPT and Google Gemini. In April 2026, expert testing revealed Mythos excelled at identifying problems in legacy code and suggested exploitation methods. It found a vulnerability that had existed for 27 years. Because of these advanced capabilities, Anthropic restricted access through “Project Glasswing,” giving it only to 12 major tech companies and 40 organizations managing critical software. Canadian Finance Minister François-Philippe Champagne called it an “unknown unknown.” Andrew Bailey of the Bank of England said regulators needed to examine what Mythos could mean for financial attacks. The European Union raised concerns. India’s Finance Minister Nirmala Sitharaman warned at SEBI’s Foundation Day on April 25, 2026, that cybersecurity is the single most pressing challenge facing markets today. She stated a single successful cyberattack on a major exchange or large broker could disrupt markets nationally and shake public confidence for years. Sitharaman emphasized that AI tools make attacks faster, more adaptive, and autonomous, capable of discovering system vulnerabilities and manipulating code.

‍

The Real Problem: Discovery Versus Fixing
‍

Mythos highlights a fundamental mismatch in cybersecurity. Finding a vulnerability does not guarantee it will be fixed. Organizations face challenges patching systems. Many use obsolete technology, and updates can break dependent components. Organizations in developing nations often lack financial resources for repairs or downtime. Critical systems like hospitals, banks, and power grids cannot go offline. Before Mythos, human hackers found vulnerabilities slowly. Now AI tools find weaknesses faster than they can be fixed, creating a dangerous gap. Ciaran Martin, former head of the UK’s National Cyber Security Centre, explained that Mythos is “a really good hacker” against unprotected systems. Organizations following basic security practices—regular updates, strong passwords, network protection, trained staff can likely defend against it. The UK AI Safety Institute concluded Mythos poses the biggest threat to poorly defended systems, noting: “We cannot say for sure whether Mythos Preview would be able to attack well-defended systems.”

‍

The Workforce Challenge
‍

The Mythos announcement exposes the real problem: we lack enough trained cybersecurity workers. There is a global shortage of 4.8 million workers against a current workforce of 5.5 million. In AI security specifically, 34 percent of needed skills are missing. But the harder problem is that AI is changing needed skills. Entry-level jobs monitoring security alerts are being automated. These were traditional career starting points. Young people learned basic skills and moved to advanced roles. Now these positions disappear while new AI security jobs emerge for which nobody has training. Organizations cannot hire fast enough for new AI roles because few people have these skills. This leads to a vicious cycle. With fewer entry-level positions available, there will be fewer young adults entering the job market which results in even fewer workers with this skill set; thus, the shortage of qualified applicants increases; this thereby increases organizations’ vulnerability. Without action taken immediately, this issue will continue to worsen 

‍

Way Forward
‍

1. Clarify What Skills We Need

Governments and industry must work together to define what cybersecurity workers need in an AI world. Currently, aspiring professionals study networking, software, and vulnerability finding, but AI security training barely exists. Governments should work with universities and companies to clarify needed skills: understanding what AI tools can and cannot do in security, finding and fixing AI system problems.

2. Support Workers Who Lose Jobs To Automation

Workers who find themselves losing their jobs due to automation will require government support. All too often without an alternative, these skilled and trained workers will leave their profession forever. The government will need to provide funding for training of displaced employees, support for those changing careers to become cyber security professionals.

3. Create Clear Rules For AI Security Tools

When companies create powerful security tools, governments must understand their capabilities and risks. Companies should be required to thoroughly test tools before release, clearly explain what tools can do and their limitations, and explain safety and misuse prevention plans. Governments should monitor actual tool usage, not simply trust voluntary compliance.

4. Focus On Basic Security First

Most attacks do not need advanced AI tools. They succeed because organizations have not implemented basic security. Some never update software, train employees, use strong passwords, protect data properly, or test defenses. Governments should require organizations, especially those managing critical systems, to implement these basics.

‍

Conclusion
‍

Claude Mythos matters not because it is a weapon of destruction, but because it forces hard questions: Do we have enough skilled workers? Are our systems well-protected? The answer is no. We face a shortage of 4.8 million cybersecurity workers and lack AI security training. Yet this is also an opportunity. Governments can invest in training, strengthen defenses, and create clear rules for AI security tools. Governments, organizations and educational institutions must collaborate to create viable Cybersecurity career pathways. We can act through either creating panic or creating a trained and prepared workforce to meet today’s challenges. The time is now.

‍

References 
‍

1. https://www.bbc.com/news/articles/crk1py1jgzko
2. https://red.anthropic.com/2026/mythos-preview/ 
3. https://www.anthropic.com/project/glasswing 
4. https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities 
5. https://www.bsg.ox.ac.uk/people/ciaran-martin 
6. https://www.isc2.org/Insights/2024/10/Cybersecurity-Workforce-INSIGHTS-October-2024 
7. https://decrypt.co/364141/anthropic-claude-mythos-serious-threat-overhyped-ai-security-institute 
8. https://www.businesstoday.in/latest/economy/story/fm-nirmala-sitharaman-wants-sebi-regulated-entities-to-remain-exceptionally-vigilant-heres-why-527437-2026-04-25 
9. https://www.theweek.in/news/biz-tech/2026/04/25/sebi-38th-anniversary-cybersecurity-concerns.html 

‍