Court Orders NSO Group to Compensate $167 Million for WhatsApp Breach

A jury has mandated that the NSO Group pay $167 million in punitive damages following a lawsuit filed by WhatsApp, a subsidiary of Meta Platforms, Inc. The case revolved around allegations that NSO exploited a critical vulnerability in WhatsApp's software, allowing unauthorized access to the devices of thousands of users.

This verdict, delivered on Tuesday, represents a significant win for WhatsApp and advocates for privacy rights who have long criticized the actions of NSO and similar companies involved in the sale of exploitative software. In addition to the punitive damages, the jury also awarded WhatsApp $444 million in compensatory damages.

WhatsApp initiated legal action against NSO in 2019, responding to an attack that compromised approximately 1,400 mobile devices belonging to a range of individuals, including lawyers, journalists, human rights defenders, political activists, diplomats, and senior officials from foreign governments. The NSO Group, which provides technology to governments and law enforcement agencies, leveraged a serious vulnerability in WhatsApp that facilitated the installation of its proprietary spyware, Pegasus, on both iOS and Android devices. This exploit was particularly insidious as it could infect devices simply by placing a call to the WhatsApp app without requiring the target to answer.

In a statement following the jury's decision, WhatsApp emphasized that this ruling is a crucial step towards enhancing privacy and security, marking the first significant legal victory against the unauthorized development and deployment of spyware that endangers the privacy of individuals globally. The company expressed hope that the decision would deter similar malicious practices in the industry.

The NSO Group had created WhatsApp accounts in 2018 and utilized them the following year to initiate the calls that exploited the vulnerability. An investigation by Citizen Lab, conducted on behalf of WhatsApp, revealed that among those targeted were 100 members of civil society across 20 nations. The exploit functioned by routing calls through WhatsApp's servers, which injected harmful code into the infected devices. Subsequently, these devices connected to malicious servers controlled by NSO.

Upon discovering the breach, WhatsApp acted promptly to mitigate the threat, implementing a software update that addressed the vulnerability and notifying affected users about the intrusion. In the aftermath, both Facebook and WhatsApp took steps to remove NSO personnel from their platforms.

The lawsuit was notable for being one of the first major legal actions aimed at the unregulated industry that sells sophisticated malware tools to governments around the world. NSO contended that it should not be held liable, asserting that it only sold its tools to authorized government entities for legitimate purposes, such as combatting terrorism and other severe crimes. The company also maintained that it prohibited clients from using its technologies against human rights advocates and journalists. Furthermore, NSO claimed that its services acted as a necessary check against encrypted communication platforms that could be exploited by criminals.

The jury's verdict, delivered by a panel in the U.S. District Court for the Northern District of California, serves as a significant rebuke to NSO's defense strategy. Experts have suggested that the ruling could set a precedent for future legal actions by hacking victims and their technology providers, exposing NSO's operational practices that have typically remained confidential. Last year, the presiding judge mandated that NSO disclose portions of the source code underpinning its products, unveiling further details about the company's clientele and the locations of many individuals affected by the hacking.

As of now, the NSO Group has not issued a public response regarding the jury's decision.