Steggall says WhatsApp account hit in suspected foreign-state phishing attack

Independent MP Zali Steggall said her WhatsApp account was compromised in a March phishing attack that parliamentary officials believe was carried out by a foreign state actor, in an incident that also affected three staffers and prompted a temporary block on WhatsApp Web inside Parliament.

Officials told AAP News the breach was reported on 6 March and formed part of a broader cyber incident affecting parliamentarians and staff. Public reporting said WhatsApp Web was blocked on parliamentary systems from 9 March while IT teams assessed whether the attackers had gained access beyond the affected accounts.

Steggall said in a statement reported by The Sydney Morning Herald that the account was secured soon after the incident was identified.

“My WhatsApp account was targeted as part of a broader cyber incident affecting parliamentarians and staff.”

— Zali Steggall, The Sydney Morning Herald

She added that the matter was immediately reported to the relevant parliamentary authority.

Mike Webb, the Department of Parliamentary Services chief information officer, told an inquiry the campaign was aimed at parliamentarians rather than only departmental systems.

“So this is targeting our parliamentarians, but it is a genuine global issue.”

— Mike Webb, AAP News

That evidence places the episode among the phishing attacks that target people at the edge of official networks. The service itself may be encrypted, but staff still have to manage login prompts, linked devices and browser sessions, which are common points of failure in account-takeover cases.

Nothing in the public evidence suggests WhatsApp’s encryption was broken. Webb’s description points instead to phishing around the account, not a flaw in the messaging protocol, which shifts the focus to identity checks and device management.

The temporary restriction on WhatsApp Web also fits that reading. A browser client can extend the number of machines tied to a single account, making containment harder while security teams work out what was accessed, what sessions remain open and whether credentials need to be reset.

Unlike managed email or internal collaboration tools, consumer messaging apps can span personal phones, linked browsers and other devices outside a single control framework. That does not make them insecure by default, but it can complicate policy enforcement inside sensitive workplaces.

AAP reported that parliamentary officials detected 46 instances of malware between 1 July 2025 and 31 March 2026, along with close to 20,000 phishing attempts over the same period. Those totals do not mean every incident was state-backed, but they show the scale of low-cost attempts already facing parliamentary staff and MPs.

Public reporting has not set out exactly how attackers reached Steggall and the three staffers, whether through a credential-harvesting page, a linked-device approval or another social-engineering method. Officials also have not detailed what, if any, account data was accessed before the affected accounts were secured.

Still, the incident shows why mainstream consumer apps can become a parliamentary security issue once they are used for routine work. When officials rely on a service for day-to-day coordination, the account protections around that app carry institutional weight as well.