07.07.2026

CyberSec Update#27: Signal and WhatsApp security risks

Messaging Apps as a Source of Risk

Within a relatively short period of time, two Polish authorities have taken positions on the use of messaging applications Signal and WhatsApp. Although the cases are independent and concern different areas, they share a common denominator – the security of communication.

Signal targeted by APT groups

Concerns regarding the use of the Signal messaging app were raised by the Government Plenipotentiary for Cybersecurity. Information provided by national Computer Security Incident Response Teams (CSIRT) indicates a growing risk of attacks involving social engineering techniques, including impersonation of the application’s technical support.

In his recommendations, the Government Plenipotentiary for Cybersecurity points out that Signal is also used by individuals holding prominent public positions and by employees of public institutions. In such cases, taking control over communication may pose a direct threat to national security and the confidentiality of processed information.

Furthermore, it is emphasized that, in order to ensure a high level of security in official communication, the Ministry of Digital Affairs recommends the use of national solutions dedicated to public administration, such as the mSzyfr communicator managed by NASK-PIB and the SKR-Z system, which is a classified communication system.

WhatsApp as an example of insufficient data protection measures

The President of the Personal Data Protection Office (UODO) not only took a position but also imposed an administrative fine on an entity acting as a processor, whose employees used WhatsApp for communication during a sales project.

As part of this communication, in addition to business instructions, scans and photos of contracts concluded with the controller’s clients were also shared. As a result, reprimands were additionally issued to the controller and the other processors involved.

The source of the breach on the processor’s side was a conscious decision to allow employees to use WhatsApp outside the knowledge and control of the controller.

Irregularities on the controller’s side consisted in the failure to implement appropriate technical and organisational measures. According to the President of UODO, the controller did not properly verify whether the processor provided sufficient guarantees to implement such measures.

The decision of the President of UODO in this case is not yet final.

Two messaging apps – different conclusions

Although both cases concern communication carried out using popular applications, the sources of the authorities’ concerns are different.

In the case of Signal, the key risk lies in targeted activities of APT groups aimed at specific individuals, particularly representatives of public administration.

In contrast, in the case of WhatsApp, the issue arose from the processing of personal data using an unauthorised tool, even if – as claimed by the processor – it was intended only as a supporting solution in contract execution.

Both cases demonstrate that the security of communication depends not only on the application itself, but primarily on how it is used and on the organisational measures that are in place.

1 2 3 4 61

Newsletter

Want to stay up to date?
Subscribe to our newsletter.

By entering your e-mail address above and clicking ‘Subscribe!’ you declare that you have read and accept the Terms of Service and subscribe to the newsletter, i.e. information on legal topics, including information on important legal events, legislative changes and the Law Firm's activities, services and products, via e-mail communication.

The controller of your personal data is KWKR Konieczny Wierzbicki i Partnerzy S.K.A. with its registered office in Kraków, Kącik 4 Street, 30-549 Kraków. Your data will be processed in order to provide the newsletter service and thus send commercial and marketing information to the e-mail address provided, in accordance with the Privacy Policy and the Terms of Service. For more information on the principles of personal data processing, including your rights, please see the Privacy Policy.

Please wait...

Thank you for sign up!