Latest Signal and WhatsApp breaches show that consumer apps have no place in government

March 11, 2026

On Monday the General Dutch ⁠Intelligence Agency (AIVD) and Dutch Military Intelligence and Security Service (MIVD) announced a sustained Russian-backed campaign targeting Signal and WhatsApp users. 

It follows a similar warning in February, from Germany’s Domestic Intelligence Agency (BfV) and Federal Cybersecurity Office (BSI).

The attacks are based on relatively straightforward social engineering. Signal or WhatsApp users are targeted by fake Support Chatbots and then duped into divulging PIN codes or adding the attacker to conversations through ‘link device’ functions. Much like email phishing, it’s straightforward but effective; the Dutch agencies have acknowledged that the attackers are likely to have gained access to sensitive information.

The attacks are yet another example of why consumer messaging apps are not appropriate for use within governments. Intelligence agencies and other cyber experts have continuously warned that the likes of Signal and WhatsApp are frequently targeted because their end-to-end encryption gives government users a false sense of security. Yet end-to-end encryption is pointless when you can’t trust who is in the conversation.

Signal and WhatsApp are designed for consumer use only. They do not offer organisation-level administration or management, leaving government officials vulnerable to anyone who is able to contact them. Consumer messaging apps are - from an IT department point of view - “insecure by design” and therefore the very opposite of what governments should be using. 

Secure by design

Element Server Suite Pro protects against the type of social engineering attacks targeted at Signal and WhatsApp because it provides an enterprise-grade messenger. 

Most government deployments of Element are either ‘internal-only’ or for use within a ‘closed federation’ of trusted partners. As a result, it’s extremely difficult for an external attacker to even target government employees. 

End-users are managed through an organisation’s existing directory service - the systems that are trusted to identify and control access to all the organisation’s applications, as well as supporting single sign-on. In addition to protecting against external threats, end-user management also guards against accidental invites, such as the Signalgate incident.

Element's identity and access management stops Signalgate incidents

As a further line of defence, within Element Server Suite Pro, room administrators are able to insist that end-users verify their devices to ensure that devices are trusted. 

Adopting the correct security posture

Governments and other organisations that have to prioritise security are generally good at assessing risk, and adjusting their security posture accordingly. Many of our customers, for example, use Element for communications within their air-gapped environments. Some are even introducing cross domain gateways to connect high and low side communications.

Yet other parts of those same organisations can still have a blind spot when it comes to messaging apps. While budgets exist for air-gapped networks, or to replace a collaboration suite, many find it difficult to win a new budget to provide a sovereign messenger as an alternative to the unsanctioned use of (free of charge) consumer messaging apps.

Yet governments typically require dedicated, hardened communication systems that incorporate strict access controls, monitoring, and security policies rather than relying on consumer messaging services. 

Sovereign and secure

Talking of the latest attacks, Vice-Admiral Peter Reesink, director, Dutch Military Intelligence and Security Service, says: "Despite their end-to-end encryption option, messaging apps ​such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information." 

Signal is a centralised vendor-controlled service, from a US headquartered organisation and runs its entire service on AWS. WhatsApp is owned by US headquartered Meta, one of the world’s largest data mining companies. Neither Signal or WhatsApp offer any level of sovereignty, and both are designed purely for consumer use - creating a raft of vulnerabilities for workplace use. And as Australia’s government concluded in March 2025, they also erode the democratic process through a lack of record keeping.

As European governments embrace digitally sovereign IT strategies to improve national security, they should also move decisively to ban government officials from using Signal and WhatsApp for government-related conversations. 

Simultaneously, they need to give officials a sovereign and secure alternative.

Steve Loynes Steve Loynes

Related Posts

By the same author

Digital sovereignty
Digital sovereignty is built on an open standard that enables federation
Across Europe, sovereign communications systems are already being deployed, and crucially, they don’t have to exist in isolation.
Steve Loynes
22/04/2026
Element
Meedio partners with Element to deliver sovereign communications across Europe
Meedio partners with Element to deliver sovereign communications across Europe Meedio will use Element Server Suite Pro (ESS Pro) as the server backbone for its new Matrix-based communications platform, including video conferencing and a dedicated front-end client.
Steve Loynes
26/03/2026
Governments need to adopt Matrix responsibly
It’s great to see
Steve Loynes
25/03/2026
Government
The messenger challenge for defence organisations
Real time communication is mission-critical, but legacy systems and consumer apps put defence operations at risk. Here's why national security needs a different approach.
Steve Loynes
5/02/2026

Element is the fast, simple and private way to communicate with family, friends, teams, colleagues, organisations and the wider world.

Thanks for reading our blog— if you got this far, you should head toelement.ioto learn more!

Get started

For Web, Android, iOS, macOS, Windows & Linux