CyberSec Update#27: Signal and WhatsApp security risks
Messaging Apps as a Source of Risk
Within a relatively short period of time, two Polish authorities have taken positions on the use of messaging applications Signal and WhatsApp. Although the cases are independent and concern different areas, they share a common denominator – the security of communication.
Signal targeted by APT groups
Concerns regarding the use of the Signal messaging app were raised by the Government Plenipotentiary for Cybersecurity. Information provided by national Computer Security Incident Response Teams (CSIRT) indicates a growing risk of attacks involving social engineering techniques, including impersonation of the application’s technical support.
In his recommendations, the Government Plenipotentiary for Cybersecurity points out that Signal is also used by individuals holding prominent public positions and by employees of public institutions. In such cases, taking control over communication may pose a direct threat to national security and the confidentiality of processed information.
Furthermore, it is emphasized that, in order to ensure a high level of security in official communication, the Ministry of Digital Affairs recommends the use of national solutions dedicated to public administration, such as the mSzyfr communicator managed by NASK-PIB and the SKR-Z system, which is a classified communication system.
WhatsApp as an example of insufficient data protection measures
The President of the Personal Data Protection Office (UODO) not only took a position but also imposed an administrative fine on an entity acting as a processor, whose employees used WhatsApp for communication during a sales project.
As part of this communication, in addition to business instructions, scans and photos of contracts concluded with the controller’s clients were also shared. As a result, reprimands were additionally issued to the controller and the other processors involved.
The source of the breach on the processor’s side was a conscious decision to allow employees to use WhatsApp outside the knowledge and control of the controller.
Irregularities on the controller’s side consisted in the failure to implement appropriate technical and organisational measures. According to the President of UODO, the controller did not properly verify whether the processor provided sufficient guarantees to implement such measures.
The decision of the President of UODO in this case is not yet final.
Two messaging apps – different conclusions
Although both cases concern communication carried out using popular applications, the sources of the authorities’ concerns are different.
In the case of Signal, the key risk lies in targeted activities of APT groups aimed at specific individuals, particularly representatives of public administration.
In contrast, in the case of WhatsApp, the issue arose from the processing of personal data using an unauthorised tool, even if – as claimed by the processor – it was intended only as a supporting solution in contract execution.
Both cases demonstrate that the security of communication depends not only on the application itself, but primarily on how it is used and on the organisational measures that are in place.





