In a Fresh Statement WhatsApp Calls Pegasus Breach ‘Cyber Attack’

WhatsApp has now officially responded to the Centre on the security incident related to the Pegasus breach. 

4 min read

WhatsApp on Tuesday, 5 November, issued a fresh statement over the Pegasus breach, calling it a “cyber attack”, while it had called it a “security issue” in its previous statement issued on Friday.

In the same statement, it said technology companies are constantly working to stay ahead of such “challenges” and reiterated that the safety and security of its users remained its “highest priority.”

“In May, our security team caught and stopped a cyber attack designed to send malware to mobile devices,” a WhatsApp spokesperson said in an official statement on Tuesday.

On 30 October, Head of WhatsApp Will Cathart had also called it a cyber attack in his piece in The Washington Post, writing that WhatsApp “had detected and blocked a new kind of cyber attack involving a vulnerability in our video-calling feature.”

He went on to state that “companies simply should not launch cyber attacks against other companies” and that “far more needs to be done to define what amounts to proper oversight of cyber weapons”.


Here’s WhatsApp’s official statement from Tuesday, reproduced in full:

"WhatsApp provides industry leading end-to-end encryption to help protect user privacy and security. In May, our security team caught and stopped a cyber attack designed to send malware to mobile devices. Unable to break end-to-end encryption, this kind of malware abuses vulnerabilities within the underlying operating systems that power our mobile phones. Technology companies are constantly working to stay ahead of these kind of challenges through updates and patches. The safety and security of our users remains our highest priority, which is why in May we blocked the attack and have taken action in the courts to hold NSO accountable."

What Did the Initial Statement Say

Earlier, WhatsApp responded to the Ministry of Electronics and IT on the security incident related to the breach by Pegasus malware, sources confirmed to The Quint on Saturday, 2 November. The messaging platform has also confirmed that its reply includes updates that WhatsApp had sent to CERT-In in May and September.”

Here’s WhatsApp’s official statement from Friday, reproduced in full:

“Our highest priority is the privacy and security of WhatsApp users. In May we quickly resolved a security issue and notified relevant Indian and international government authorities. Since then we’ve worked to identify targeted users to ask the courts to hold the international spyware firm known as the NSO Group accountable. We agree with the government of India it's critical that together we do all we can to protect users from hackers attempting to weaken security. WhatsApp remains committed to the protection of all user messages through the product we provide.”

Will Cathart, WhatsApp global head, had written in an op-ed in The Washington Post that the security issue is related to the Pegasus spyware breach, but clarified that at the time it wasn’t attributed to NSO as they “weren’t sure.”

The Indian Computer Emergency Response Team (CERT-IN), the nodal agency for dealing with cyber security threats, issued an advisory dated 17 May 2019, describing the issue as a vulnerability “which could be exploited by a remote attacker”.

WhatsApp has now officially responded to the Centre on the security incident related to the Pegasus breach. 
A screengrab of the CERT-IN advisory.
(Photo: Screengrab/

Centre Unhappy Over WhatsApp Not Mentioning in Previous Meetings

Meanwhile, the Centre on Friday said that it was unhappy that WhatsApp had failed to disclose in past meetings with the government that Indian citizens were being spied upon, LiveMint reported.

Information Technology minister Ravi Shankar Prasad had met WhatsApp senior management in July and September to discuss the government’s concerns over “traceability of messages".

“In all our high-level interactions with WhatsApp over traceability concerns, the senior management never disclosed that snooping was happening.”
Government official

According to the Information Technology Act, all companies operating in India are required to report any incident of cyber fraud to the Centre.

“Platforms are answerable to national security agencies, something that the government has been asking for in the past," the official added.

According to LiveMint, the government itself is puzzled over how a particular set of people, who had spoken against the government, was targeted for snooping. “The timing is suspicious," the official said, adding that the government was wondering if “it was a rear guard action by WhatsApp to prevent the government’s measures to bring in traceability and accountability".

WhatsApp is suing Israeli spyware developer NSO Group for using its spyware Pegasus to exploit a vulnerability in WhatsApp that allowed attackers to plant it in users’ phones just by ringing the target’s device.

Since Tuesday, The Quint has been able to confirm 20 Indian citizens who were targeted by Pegasus spyware. Those snooped upon are lawyers associated with the Elgar Parishad and Bhima Koregaon case, anti-caste activists and journalists reporting on defence.

The NSO Group, which makes the spyware used to target at least two dozen Indian citizens, has told The Quint that it “is not able to disclose who is or is not a client” but at the same time reiterated that its software products are sold to no entity but governments.

(With inputs from LiveMint)

(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

Speaking truth to power requires allies like you.
Become a Member
Read More