NSO Group Ordered to Pay Meta $167 Million in Damages

Israeli cybersecurity company NSO Group has been ordered to pay Meta $167 million in damages, concluding a six-year legal dispute after NSO hacked 1,400 WhatsApp accounts belonging to journalists, human rights activists, and government officials.

In December, U.S. District Court Judge Phyllis Hamilton ruled that NSO had breached cybersecurity laws by using the well-known Pegasus spyware to target mobile phones configured with WhatsApp across 20 countries. Meta, which owns Facebook, Instagram, and WhatsApp, provides an encrypted messaging platform used by over 2 billion individuals.

In March, Meta sought damages from NSO, and last week the court convened to discuss potential penalties. The ruling was made on Tuesday following two days of deliberation.

“Today’s verdict imposing penalties on NSO is a crucial deterrent for the spyware industry against unlawful activities targeting American companies and users globally. This is a threat to the entire industry, and we must all work to safeguard it.”

WhatsApp announced that it would donate the damages to digital rights organizations dedicated to protecting individuals.

“We are excited to share our commitment to providing a variety of services to our users,” stated Gil Rainer, Vice President of Global Communications at NSO Group. “We firmly believe that our technology plays a vital role in preventing serious crimes and terrorism, and is employed responsibly by authorized government agencies.”

WhatsApp initially filed a lawsuit against NSO in 2019, claiming they had accessed WhatsApp servers without authorization. An NSO executive testified about the company’s capability to install Pegasus software on targeted mobile devices without users’ awareness. This executive asserted that Pegasus assists law enforcement and intelligence agencies in combating crime and securing national safety.

Similarly, Apple sued NSO for device hacking in 2021, though it dropped the case in September. Additionally, in 2021, the Commerce Department blacklisted NSO, stating the firm acted “contrary to U.S. national security or foreign policy interests.”

Spyware, a type of software that infiltrates mobile phones, laptops, and other devices, is increasingly used to surveil unsuspecting victims. Initial spyware from NSO required targets to click on links or images sent via WhatsApp, which would then be unintentionally downloaded on their devices.

Evidence presented during the trial indicated that the latest version can penetrate phones through sent text messages without any action needed from the recipient. The proceedings also revealed that NSO has developed technology capable of infiltrating other messaging applications.

John Scott-Railton, an external expert whose work highlights how NSO Group’s spyware targets individuals through WhatsApp, remarked that Tuesday’s decision would adversely affect the company.

“NSO’s operations rely on compromising American companies,” stated Scott-Railton, a senior researcher at Citizen Lab, a cybersecurity watchdog affiliated with the University of Toronto. “Dictators can exploit this to track dissidents. This ruling conveys a strong message.”