Press "Enter" to skip to content

WhatsApp admits it could’ve handled data breach better


New Delhi:
WhatsApp told India’s nodal cyber agency on May 20 that it could be hacked through a malicious code inserted and executed on mobile phones, and ‘promptly fixed’ it, three days after the government issued an advisory to users about the vulnerability. “The Indian Computer Emergency Response Team (CERT-In) published a vulnerability note on May 17, 2019 advising countermeasures to users regarding a vulnerability in WhatsApp. Subsequently, on May 20, 2019 WhatsApp reported an incident to the CERT-In stating that WhatsApp had identified and promptly fixed a vulnerability that could enable an attacker to insert and execute code on mobile devices and that the vulnerability can no longer be exploited to carry out attacks,” Union minister of electronics and information technology Ravi Shankar Prasad told the Lok Sabha on Wednesday. He dismissed as ‘completely misleading’ the attempts to malign the government for the reported breach.

“Some statements have appeared, based on reports in media, regarding this. These attempts to malign the government of India for the reported breach are completely misleading,” he said, when asked whether the government had taken cognizance of reports alleging it had purchased the Israeli NSO Group-owned Pegasus spyware, reportedly behind the attack on WhatsApp. ET was the first to report on November 6 that WhatsApp delayed communicating to India the vulnerability that affected 121 people in the country. The government said a spyware possibly affected around 1,400 users globally, including Indians, according to the ministry’s response.

“The government is committed to protect the fundamental rights of citizens, including the right to privacy. The government operates strictly as per provisions of law and laid down protocols,” Prasad said in a written response to a question by Asaduddin Owaisi. WhatsApp told the government that it could have communicated the issue better to the Indian authorities, it said in a statement, in a departure from its earlier stance on the issue. On September 5, 2019 WhatsApp wrote to CERT-In mentioning an update to the security incident reported in May, and that while the full extent of this attack may never be known, WhatsApp continued to review the available information, according to the response.

Separately, the government said it was “working on the Personal Data Protection Bill to safeguard the privacy of citizens, and it is proposed to table it in Parliament,” Prasad said, without mentioning a timeline. It informed Parliament that there was no proposal to link Aadhaar with social media accounts of individuals, and said that Section 69A of the Information Technology Act, 2000, empowers the government to block data under certain conditions, such as public order and security of the state.

Source: Economic Times