Watchdog ‘intensively pursuing’ answers over WhatsApp hack

Data commissioner in frequent contact with messaging firm to see if EU users are affected

Helen Dixon, head of the Irish Data Protection Commission, said she had not heard of any WhatsApp users contacting the regulator to say they had been directly affected by the hack.

Helen Dixon, head of the Irish Data Protection Commission, said she had not heard of any WhatsApp users contacting the regulator to say they had been directly affected by the hack.

 

The State’s data privacy watchdog is “intensively pursuing” answers from WhatsApp to find out if and how many European users are affected by a security breach in the popular messaging app.

Helen Dixon, head of the Irish Data Protection Commission, said that her office had been in regular contact with the Facebook-owned messaging company over recent days following the cyber attack.

WhatsApp urged the company’s 1.5 billion users on Monday to update their apps as a precaution after hackers remotely installed surveillance software on phones and other devices using the messaging service.

Ms Dixon told The Irish Times that she had not heard of any WhatsApp users contacting the regulator to say that they had been directly affected by the hack.

“We have been in touch frequently over the last two days with WhatsApp in order to get data from it once it has identified – if it can – which and how many users have been affected,” she said.

Under new European Union privacy rules introduced last year, the Irish data privacy regulator is WhatsApp’s EU-wide regulator as its “lead supervisory authority” given that Facebook’s European base is in Dublin. The company must report “notifiable breaches” to the commission under the General Data Protection Regulation.

The regulator said that it was informed on Monday evening by WhatsApp Ireland of a “serious security vulnerability” on its platform that “may have enabled a malicious actor to install unauthorised software and gain access to personal data on devices which have WhatsApp installed”.

WhatsApp has not yet notified the commission that there had been a breach of personal data under the GDPR rules as the company was still investigating whether any EU user data had been affected.

Scale

Ms Dixon said that her officials were seeking answers from the messaging company to understand the scale of the hack and the number of users caught up in the attack.

“We are intensively pursuing this with a series of questions to try to get the shape of how this issue may affected EU persons and what the role of WhatsApp is,” she said.

There had been a “back and forth” in communications between her office and the company but “there has been no substantive information disclosed to us,” she said.

WhatsApp has been unable to estimate how many phones were affected with the software, which has been used to target a UK-based human rights lawyer who had helped Mexican journalists and government critics and a Saudi dissident living in Canada.

The company discovered earlier this month that hackers were able to install commercial spyware on both iPhones and Android phones by ringing up targets using the app’s phone call function.

The Financial Times reported that the malicious code was developed by the Israeli firm NSO Group and could be transmitted even if users did not answer their phones.

WhatsApp has promoted its messaging service as a “secure” communications app because communications are end-to-end encrypted, meaning that they can be read only on the devices of the sender and recipient.

The company said that teams of engineers had worked over the weekend at its offices in San Francisco and London to close the loophole.