WhatsApp Security Breach: Meta Secures Compensation in Legal Victory Against NSO Group Spyware

Meta has secured approximately $170 million in damages from NSO Group, the Israeli firm behind the Pegasus spyware. This ruling follows a protracted six-year legal battle initiated by Meta, which accused NSO of leveraging its servers to conduct surveillance on users.

The initial lawsuit against NSO Group was filed in October 2019, alleging that the spyware provider utilized WhatsApp servers to disseminate malware to around 1,400 mobile devices. This malicious intent aimed to access communications on these devices, often utilized by attorneys, journalists, human rights advocates, political dissidents, diplomats, and senior officials from foreign governments.

The NSO Group allegedly reverse-engineered WhatsApp’s software, creating its own platforms to deliver messages containing malware to victims via the WhatsApp service. This malware employed a zero-click attack, which enabled it to infiltrate the victims’ smartphones without any user interaction—no need to open a link or even respond to a call; the mere arrival of the message sufficed.

In December, a judge ruled that NSO Group had consistently evaded requests to submit its code for scrutiny, leading to a partial summary judgment in favor of Meta. This decision paved the way for a trial focused on determining the damages, which commenced in late April.

During the trial, NSO Group contended that Facebook incurred no losses from the breach, arguing for a minimal damage award. However, the jury ultimately ruled in favor of Meta, awarding $444,719 in compensatory damages alongside $167,254,000 in punitive damages.

The NSO Group is recognized for its contentious history. In 2021, it was blacklisted by the U.S. federal government for facilitating foreign governments’ surveillance operations, classified under “transnational repression.” The investigative outlet, The Pegasus Project, alleged that the company targeted over 180 journalists worldwide that same year. In 2022, the European Data Protection Supervisor recommended a ban on such technology within the EU, though this has yet to materialize.

The ruling has garnered commendation from Amnesty International, which contributed a court brief highlighting the human rights ramifications of the attacks on Meta. It emphasized the necessity for governments to implement proactive measures regulating the surveillance industry and to enforce robust safeguards that align with human rights standards.

One critical insight emerges from this case: while end-to-end encryption serves as a vital component for safeguarding privacy, it should not be seen as a standalone solution. As indicated in Meta’s complaint, NSO could not decrypt WhatsApp messages during transmission due to encryption protocols; however, accessing decrypted messages on compromised devices remains a significant risk. If an attacker infiltrates a smartphone or computer, they gain access to all data, including decrypted messages.

For users, the imperative lies in adopting additional layers of protection through regular software updates, robust security solutions, and an informed approach to cybersecurity. Avoiding links, files, or videos from unfamiliar sources is essential, and exercise caution even with messages from known contacts—verifying via an alternate channel can prevent unexpected breaches.

In light of the advanced nature of such infections, particularly targeting sensitive individuals like journalists, activists, and government officials, organizations like Google and Apple have established protective measures. Google offers an advanced protection program for high-risk individuals, while Apple has introduced lockdown mode specifically designed for vulnerable users. Similarly, Meta has initiated efforts to bolster security for its users.

Cybersecurity threats must not remain just a headline; effective protections are crucial. Employing comprehensive security measures is essential to safeguard mobile devices against such sophisticated attacks.