121 Indians hit; we may never know Pegasus breach extent: WhatsApp to govt

121 users in India targeted, full extent of Pegasus spyware attack may never be known: WhatsApp told Govt

Electronics and Information Technology Minister Ravi Shankar Prasad on Wednesday told the Lok Sabha that WhatsApp has informed that the full extent of targeting of mobile phone users, including 121 from India, using Israeli Pegasus spyware may never be known and the Computer Emergency Response Team (CERT-In) has issued a formal notice to the social media platform seeking submission of details and information.

In a written reply, Prasad said that attempts to malign the Government of India for the reported breach are completely misleading.

He said the government has taken note of the fact that a "spyware/malware has affected some Whatsapp users".

The minister said according to WhatsApp, this spyware was developed by an Israel based company NSO Group and that it had developed and used Pegasus spyware to attempt to reach mobile phones of a possible number of 1400 users globally that includes 121 users from India.

He said there are adequate provisions in the Information Technology (IT) Act, 2000 to deal with hacking, spyware etc.

The minister said that CERT-In published a vulnerability note on May 17, 2019, advising countermeasures to users regarding a vulnerability in WhatsApp.

"Subsequently, on May 20, 2019, WhatsApp reported an incident to the CERT-In stating that WhatsApp had identified and promptly fixed a vulnerability that could enable an attacker to insert and execute code on mobile devices and that the vulnerability can no longer be exploited to carry out attacks," the minister said.

"On September 5, 2019, WhatsApp wrote to CERT-In mentioning an update to the security incident reported in May 2019, that while the full extent of this attack may never be known, WhatsApp continued to review the available information. It also mentioned that WhatsApp believes it is likely that devices of approximately one hundred and twenty-one users in India may have been attempted to be reached," he added.

He said CERT-In has issued a formal notice to WhatsApp seeking submission of relevant details and information based on media reports on October 31, 2019, about such targeting of mobile devices of Indian citizens through WhatsApp by spyware Pegasus.

Referring to reports in a section of media, he said: "attempts to malign the Government of India for the reported breach are completely misleading".

"The government is committed to protecting the fundamental rights of citizens, including the right to privacy. The government operates strictly as per provisions of law and laid down protocols," said he.

The minister said that the Ministry of Electronics and Information Technology is also working on the Personal Data Protection Bill to safeguard the privacy of citizens, and it is proposed to table it in Parliament.