• by Joe Mandese  @mp_joemandese, Yesterday

It may not have become as high-profile as Defense Secretary Pete Hegseth’s “Signalgate” breach, but there is a burgeoning ad industry scandal that could well be called “WhatsAppgate,” because big agency holding companies -- especially WPP -- have been discovered to be using WhatsApp’s consumer-grade group messaging app to share confidential client information.

While it has not made the headlines of the U.S. trade press, Reuters last week broke a story about a group of agency holding company teams in India that participated in a “secret” price-fixing pact coordinated on the not-so-secure group messaging app.

According to Reuters reporting, participants included regional media leadership of WPP Media (formerly GroupM), Omnicom Media Group, Interpublic’s IPG Mediabrands, Havas Media, and Dentsu.

“Members of the group discussed advertising pitches and coordinated on interactions with clients,” Reuters reported.

In an unrelated development, MediaPost recently received screenshots of confidential client-related chats shared via a WhatsApp group created by CTO Stephan Pretorius that included discussions of client business that has been shared with both current and former employees and other third parties, including at least one U.S.-based trade reporter.

“I would expect something like that from a creative, but from a CTO? That’s kind of a little shocking that they would rely on something like WhatsApp,” says Douglas Wood, a private practicing attorney who is one of the industry’s leading authorities on advertising law, especially client/agency confidentiality agreements.

“If you look at what happened recently with [Defense Secretary] Hegseth on Signal, that would prove to me that there is no such thing as a secure group chat app.”

“As a CTO, I am probably a bit more aware of the risks involved. It is precisely why I am not active in social media,” the CTO of another major agency holding company tells MediaPost, adding: “However, I believe it is the responsibility of all employees, technical or not, to adhere to company communications and data security policies.”

He noted that his firm has a “strict application usage policy and guidelines,” mandating the “use of our stack for all company related activities.

“There are always rogue players who will go off and do things that don’t adhere to company policy, so the first thing organizations need to do is ensure that there is a clear policy in place and that it is part of a mandatory training program that employees go through every year. This is both to educate them and hold them accountable if they deviate from the process.”

Attorney Wood, who previously was the long-time chief counsel for the Association of National Advertisers, notes that big brands including the kind that were discussed in WPP’s CTO WhatsApp group have stringent confidentiality agreements, but that they are difficult to enforce when there’s a breach, because there typically is no “liquidated damages” clause -- an agreement placing a monetary fine on a breach--– and that the worst that usually happens is that clients get angry and agencies sometimes get fired.

“When it comes down to it, you can get all hot-and-bothered and pissed off, but if you can’t prove actual damages -- that that breach caused me to lose a release date or not get a price I could have gotten for media -- it’s just meaningless,” he said.

In response to a MediaPost query, a WPP spokesperson declined to specify what the holding company’s policy is regarding the use of group messaging apps to discuss confidential client information, but said it was something that applied to all forms of electronic communication used by its teams.

“WPP policies and protocols apply across all communication channels, including email, Teams, and other messaging applications like WhatsApp. Usage is subject to the same obligations, regardless of the channel,” he said.

“The problem is people have rushed to these apps -- particularly during the pandemic -- but they’re not really that secure. There’s an illusion of security,” explains Wood, adding that it is especially ironic that the CTO of a major agency holding company would choose to use WhatsApp for senior management team group chats, because it’s not as secure as other apps, including Signal.

WhatsApp -- which was once regarded as one of the most secure group messaging apps -- is now part of Meta, and just this week, the U.S. House of Representatives said it will no longer allow staffers to have WhatsApp on their government devices, according to a report by Axios.

Wood, meanwhile, characterized the evolution of agency communications as something of a slippery slope that accelerated during the COVID-19 pandemic when teams were working remotely and become increasingly dependent on the technology.

“COVID changed the whole communication methodology by which agencies communicate internally and to their clients,” he explains, adding: “Everybody has become very dependent on apps, and it’s become the default. It’s no longer even phone calls.”

In fact, when MediaPost called WPP’s Pretorius for a comment, his phone’s voice message said not to leave a message, but to text him.