A former top security executive at WhatsApp filed a federal lawsuit alleging that parent company Meta systematically violated cybersecurity regulations and retaliated against him for reporting the failures.
Attaullah Baig, who served as head of security for WhatsApp from 2021 to 2025, claimed yesterday that approximately 1,500 engineers had unrestricted access to user data without proper oversight, potentially violating a 2020 US government order that imposed a $5 billion (€4.25 billion) penalty on the company.
An attorney for Baig at NGO Psst.org, Jennifer Gibson, said she could not think of another company with as many whistleblowers as Meta, Bloomberg reported yesterday.
“Meta had a choice: They could fix the problems or attack the messenger, and they chose the latter,” she said.
The lawsuit, filed in federal court in San Francisco, alleges that Meta failed to implement basic cybersecurity measures, including adequate data handling and breach detection capabilities.
According to the 115-page complaint, Baig discovered through internal security testing that WhatsApp engineers could “move or steal user data” — including contact information, IP addresses, and profile photos — “without detection or audit trail”, AFP reported yesterday.
The filing claims Baig repeatedly raised concerns with senior executives, including WhatsApp head Will Cathcart and Meta CEO Mark Zuckerberg.
In January 2024, Baig sent Facebook owner Zuckerberg, who is listed as a defendant along with Meta and Meta’s general counsel, a letter documenting alleged 2020 Federal Trade Commission (FTC) order and Securities and Exchange Commission (SEC) rules violations.
He pleaded “that the central security team had falsified security reports to cover up decisions not to remediate data exfiltration risks” and that such falsifications could lead to criminal penalties, according to Bloomberg.
Meta purportedly blocked features he and his team built to mitigate user harm. Come November 2024, Baig filed an SEC form “documenting Meta’s cybersecurity deficiencies and failure to inform investors about material cybersecurity risks”.
He allegedly sent Zuckerberg another letter that December, disclosing the alleged continuation of cybersecurity issues, escalated retaliation and the form’s filing.
“Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team,” Carl Woog, vice president of global communications at WhatsApp, told Bloomberg.
Baig wants reinstatement with the same seniority status that he would have had barring discrimination, back pay and compensation for special damages and “for emotional distress, mental anguish, and other consequential damages”.
Baig alleges he faced escalating retaliation after his initial reports in 2021, including negative performance reviews, verbal warnings and ultimately termination in February 2025 for alleged “poor performance”.
The lawsuit also claims Meta blocked implementation of security features intended to address account takeovers affecting an estimated 100,000 WhatsApp users daily, choosing instead to prioritise user growth, AFP said.
Meta strongly disputed the allegations.
“Security is an adversarial space, and we pride ourselves on building on our strong record of protecting people’s privacy,” Woog added.
The company said Baig left due to poor performance, with multiple senior engineers independently validating that his work was allegedly below expectations.
Meta also noted that the Department of Labour’s Occupational Safety and Health Administration dismissed Baig’s initial complaint, finding that Meta had not retaliated against him.
The company further insisted that Baig’s self-description as head of security was an exaggeration of his role at WhatsApp and that he was a lower-level engineer.
Prior to joining Meta, Baig worked in cybersecurity roles at PayPal, Capital One and other major financial institutions.
The case has added to ongoing scrutiny of Meta’s data protection practices across its platforms – Facebook, Instagram, and WhatsApp – which serve billions of users globally.
Meta agreed to the 2020 US government settlement following the Cambridge Analytica scandal, which involved improper harvesting of data from 50 million Facebook users. The consent order remains in effect until 2040.
In his whistleblower complaint, Baig has requested reinstatement, back pay and compensatory damages, along with potential regulatory enforcement action against the company.
In a separate case targeting Meta first reported by The Washington Post yesterday, current and former employees allege the company suppressed research on child safety risks in its virtual reality products.
Meta denies these claims, stating it prioritises youth safety and complies with privacy laws.
