WhatsApp has not as yet informed the Data Protection Commissioner of any data protection breaches arising from the discovery of a security hole in its popular messaging app.
In a statement, the commissioner said it was “actively engaging with WhatsApp Ireland to determine if and to what extent any EU user data has been affected”.
“While the possibility remains that EU users were affected and in light of the understood severity of the incident, all WhatsApp users are urged to ensure that the latest version of the WhatsApp application is installed on their device, available via the Apple Store or Google Play Store,” it said.
WhatsApp, which is used by 1.5 billion people worldwide and is owned by Facebook, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app's phone call function.
The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack.
WhatsApp, which said the company quickly addressed the problem within its own infrastructure, has told users to update to the latest version of the app which was published Monday.
The company has also alerted US law enforcement to the exploit, and published a “CVE notice”, an advisory to other cybersecurity experts alerting them to “common vulnerabilities and exposures”.
WhatsApp said it is too early into its own investigations of the vulnerability to estimate how many phones were targeted using this method, a person familiar with the issue said.
Pegasus
NSO’s flagship product is Pegasus, a programme that can turn on a phone’s microphone and camera, trawl through emails and messages and collect location data.
NSO advertises its products to Middle Eastern and Western intelligence agencies, and says Pegasus is intended for governments to fight terrorism and crime. NSO was recently valued at $1bn in a leveraged buyout that involved the UK private equity fund Novalpina Capital.
In the past, human rights campaigners in the Middle East have received text messages over WhatsApp that contained links that would download Pegasus to their phones.
WhatsApp said that teams of engineers had worked around the clock in San Francisco and London to close the vulnerability. It began rolling out a fix to its servers on Friday last week, WhatsApp said, and issued a patch for customers on Monday.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company said. “We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”
WhatsApp disclosed the issue to the US Department of Justice last week, according to a person familiar with the matter. A justice department spokesman declined to comment.
NSO said it had carefully vetted customers and investigated any abuse. Asked about the WhatsApp attacks, NSO said it was investigating the issue.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said.
On Tuesday, NSO will face a legal challenge to its ability to export its software, which is regulated by the Israeli ministry of defence.
Additional reporting– Financial Times