WhatsApp jitters
News that Jamaica was among 84 countries affected by a WhatsApp data leak, with hundreds of thousands of local phone numbers compromised, leaving people open to being targeted by criminals, made many Jamaicans anxious on Monday, even as the platform’s parent company Meta denied that there had been a breach.
However, local cybersecurity expert Trevor Forrest has said this won’t be the last time technology users face this threat.
According to Forrest, there is no escaping data leaks and threats as the world plunges further into a digital existence, but the key is for individuals to militate against occurrences such as these.
Online security publication Cybernews reported via its Twitter account on Monday that close to 400,000 local mobile numbers were among almost 500 million mobile numbers worldwide affected by the breach.
Forrest said, although the report is just now emerging, the numbers and data may have been compromised months ago.
“This kind of stuff happens, and it will continue to happen… You can’t prevent these things; you can do your best to try to minimise them, but you’re not going to prevent them. What it requires of us, as users of technology, is to be more vigilant, and more aware, and understanding what you should and should not share, and how you should use the technology carefully,” he said.
The cybersecurity expert said, despite WhatsApp‘s position that it has not found any evidence of a breach, end users are concerned, and will be affected.
“It’s the season to be jolly, so you’re going to find that, with access to phone numbers, you will see an upswing in phone calls, text messages, and WhatsApp messages that have things that would appeal to people in this time, or that would spawn reflex actions from people, especially as it relates to supposed fraud. What you might find is an increase in messages trying to get people to validate your information, and because people are in a particular reactive mindset they are easy targets when you scare them that way. That is really the kind of fallout that you would expect from a situation such as this,” he explained.
According to Cybernews, on November 16 a threat actor posted an ad on a well-known hacking community forum claiming to be selling a 2022 database of 487 million WhatsApp user mobile numbers. A chunk of phone numbers (45 million) reportedly belongs to Egyptian citizens, Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million). The data for sale also allegedly has nearly 10 million Russian, more than 11 million UK citizens’ phone numbers, and 385,890 Jamaican records.
With the anticipated uptick in phishing, spamming and scamming that could occur, Forrest is urging people to be more diligent in their response to any illicit activity aimed at potentially profiting from leaked data.
“Wherever you’re not sure, or if anything looks suspicious, think a little bit before you act. So if you get something from your bank, in the form of a text message or phone call, call back the bank. If the bank calls you and is asking for information, don’t give the information, call the bank back. You don’t know where the call originated from, [but] when you call, you know who you’re calling,” he said, noting that ignoring calls is also a safe course of action.
At the same time, he pointed to the two pieces of legislation on the books which he said only remotely relate to the issue — the Cybercrimes Act and the Data Protection Act.
“Whether it applies to data breaches from entities that are not in Jamaica is an argument that has to be made. As to what the redress is, the data protection law speaks very specifically to data that belongs to Jamaica, and where that data is physically stored. The scenario that presents itself now is a little delicate, because you have to first establish that the data was, in fact, extricated from WhatsApp and how it was done. In lieu of all of that, the best defence is to be aware and vigilant, be careful how you work online, be careful of the information that you share, as careful as you can be, with others,” he emphasised.
WhatsApp has reportedly dismissed claims of a data leak from its servers as unsubstantiated screenshots.
But, on Monday, the Observer‘s Instagram report on the issue elicited response from well over 500 readers with most saying that they had received messages from strange numbers from far-off countries, among them India, Spain, Pakistan, and Morocco.
One individual shared that they received a text asking to verify their number. Another said that each time they blocked a number from which messages were being sent the number kept coming up.
One woman said she received nude video and had to block them.
The development came on the same day as an Associated Press (AP) report stating that Irish regulators slapped Meta with a 265 million-euro (US$277-million) fine — the company’s latest punishment for breaching strict European Union (EU) data privacy rules.
According to AP, Ireland’s Data Protection Commission said Meta platforms infringed sections of the EU rules, known as the General Data Protection Regulation, that require technical and organisational measures aimed at protecting user data.
The watchdog had opened an investigation last year into news reports that data on more than 533 million users had been found dumped online. The data was found on a website for hackers and included names, Facebook IDs, phone numbers, locations, birthdates, and e-mail addresses for people from more than 100 countries, AP said.
Meta said the data had been “scraped” from Facebook using tools designed to help people find their friends through phone numbers using search and contact import features. The watchdog said it investigated the automated scraping carried out between May 2018 and September 2019.
The company said it had “cooperated fully” with the Data Protection Commission.
“We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers,” Meta said in a statement. “Unauthorised data scraping is unacceptable and against our rules.”