Data of Only 20 WhatsApp Users Compromised By Pegasus Spyware, Says Govt

In the ongoing WhatsApp Pegasus spying controversy, India’s IT minister Ravi Shankar Prasad told Lok Sabha on Wednesday (December 4) that the personal data of 20 WhatsApp users might have been accessed by the NSO group.

Responding to a question titled ‘Extent of WhatsApp Privacy Breach,’ Prasad said WhatsApp is reviewing the available information at the moment. Further, he said that WhatsApp believes that out of 121 users whose devices were attempted to hack using Pegasus spyware, only 20 users in India were breached.

Inc42 reached out to WhatsApp to confirm the answer given by the minister in the Lok Sabha, but did not receive any response till the time of publishing of this report. We will update it once we get an official statement from the company regarding the extent of the Pegasus spying.

Furthermore, Prasad said that the government operates strictly as per provisions of law and has laid down protocols and safeguards to ensure adequate security so that citizens are not impacted by such data breaches and other cyber-attacks.

This comes at a time when Google recently revealed that it sent more than 12K warnings to users in 149 nations, who were allegedly targetted by government-backed attackers. Google said that over 90% of these users were targetted using “credential phishing emails,” where the attacker tries to obtain the target’s passwords account details, contact numbers and more. However, Google didn’t reveal the exact number of Indian users, but its thermal map indicated that India had at least 500 users who fell victim to government-backed attacks.

Last month, the Indian government announced that it would conduct an audit of WhatsApp’s security systems to prevent any spying from happening in the country. Prasad said that WhatsApp in two high-level meetings in July and September 2019, never mentioned anything about the security breach or cyber-attacks on Indian users. However, when they reported the incident to CERT-In, it had only mentioned that the company had identified the vulnerability and fixed with, without the mention of Pegasus or spying on Indian citizens.

Additionally, the government also is at the verge of finalising the social media regulation which is expected to be effective early next year. The proposed intermediary guidelines include social media companies setting up an office in India, having a nodal officer for coordinating with the government, reporting information within 24 hours and traceability of the message source or post among others.

Etching data localisation in the country, the government has plans to mandate digital companies to store data of Indian users in the country. According to the government, if WhatsApp’s data was stored in India, it would have been easier for the authorities to carry out the investigation related to Pegasus spyware case.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.