"The letter outlined not only the improper access engineers had to WhatsApp user data, but a variety of other shortcomings, including a "failure to inventory user data," as required under privacy laws in California, the European Union, and the FTC settlement, failure to locate data storage, an absence of systems for monitoring user data access, and an inability to detect data breaches that were standard for other companies."
"Last year, Baig allegedly sent a "detailed letter" to Meta CEO Mark Zuckerberg and Jennifer Newstead, Meta general counsel, notifying them of what he said were violations of the FTC settlement and Security and Exchange Commission rules mandating the reporting of security vulnerabilities. The letter further alleged Meta leaders were retaliating against him and that the central Meta security team had "falsified security reports to cover up decisions not to remediate data exfiltration risks.""
"Baig also allegedly notified superiors that data scraping on the platform was a problem because WhatsApp failed to implement protections that are standard on other messaging platforms such as Signal and Apple Messages. As a result, the former WhatsApp head estimated that pictures and names of some 400 million user profiles were improperly copied every day, often for use in account impersonation scams."
WhatsApp experienced systemic privacy and security deficiencies, including improper engineer access to user data, failure to inventory user data, inability to locate data storage, lack of monitoring systems, and failure to detect breaches. An internal complaint alleged violations of FTC and SEC reporting rules and claimed that central security teams falsified reports and retaliated against a whistleblower. Reported account takeovers rose from about 100,000 daily in 2022 to as many as 400,000 daily by last year. Widespread data scraping reportedly allowed copying of pictures and names from roughly 400 million profiles each day, enabling impersonation scams and prompting recommended access restrictions.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]