WhatsApp is one of the world’s most popular messaging apps, with about 1.5 billion monthly users. The app is marketed as secure with end-to-end encryption that prevents messages, photos, videos, voice messages, calls and documents from falling into the wrong hands. WhatsApp says neither it nor third parties can access these messages.
However, a recent security breach that affected WhatsApp on iOS or Android phones is a clear reminder that no service is 100% risk-free.
The breach may have allowed a malicious actor to install unauthorised software and gain access to personal data on devices running WhatsApp. The attack – attributed in media reports to a private company working with governments on surveillance – is believed to have targeted a group of human rights campaigners. WhatsApp quickly released an updated version of its app to address the vulnerability.
For businesses, the lesson is clear – security plans, platforms and processes need to account for and minimise the risks of using these types of services. We recommend organisations carefully consider the use of proprietary messaging apps to distribute sensitive corporate or customer information, and implement robust policies governing the use of these services for business-related activities.
These policies need to be backed by education programs that should extend beyond an organisation’s own workforce to partners, suppliers, and other stakeholders.
The incident is also a powerful reminder to IT security specialists of the importance of installing updates as quickly as possible to address vulnerabilities that may leave a corporate network open to attack.
The media reports of the WhatsApp attack present an uncomfortable reminder to businesses that cyber-attacks may be carried out by well-resourced, technically skilled organisations and experts acting on behalf of nation-states, as well as criminal groups and rogue individuals. For businesses involved in critical infrastructure or systems of national importance, this means implementing security platforms, architectures, and processes – and working with relevant government agencies – to reduce the risk and impact of a breach.