A former WhatsApp security executive has filed a federal lawsuit against parent company Meta, alleging widespread cybersecurity failures and retaliatory measures after he raised concerns internally.
Attaullah Baig, who led security efforts at WhatsApp from 2021 to 2025, claims roughly 1,500 engineers had unfettered access to user data without sufficient oversight—a potential violation of a 2020 U.S. government order that imposed a $5 billion penalty on Meta. The complaint, filed in San Francisco federal court, contends that basic cybersecurity practices, including data handling and breach detection, were systematically ignored.
In his 115-page filing, Baig asserts that internal testing revealed engineers could “move or steal user data”—from contacts and IP addresses to profile photos—“without detection or audit trail.” He says he repeatedly flagged the issues to senior executives, including WhatsApp head Will Cathcart and CEO Mark Zuckerberg, only to face escalating retaliation. According to the suit, Baig received negative performance reviews, verbal warnings, and ultimately, in February 2025, termination for alleged “poor performance.”
Baig further claims Meta blocked the rollout of security features designed to address account takeovers affecting roughly 100,000 users daily, allegedly prioritizing growth over user protection.
Read Also: Thailand’s Ex-PM Thaksin Ordered To Serve Jail Sentence
Meta has strongly denied the allegations. Carl Woog, WhatsApp’s vice president of communications, described the claims as “distorted” and reaffirmed the company’s commitment to user privacy and security. Meta also contends that Baig exaggerated his role, describing himself as the head of security while holding a lower-level engineering position, and noted that multiple senior engineers assessed his performance as below expectations. The Department of Labor’s Occupational Safety and Health Administration also dismissed Baig’s initial complaint, finding no evidence of retaliation.
Before joining Meta, Baig held cybersecurity roles at major financial institutions, including PayPal and Capital One. His lawsuit seeks reinstatement, back pay, compensatory damages, and potential regulatory action against the company.
The case comes amid broader scrutiny of Meta’s data protection practices across WhatsApp, Facebook, and Instagram, platforms that collectively serve billions worldwide. The 2020 government settlement, stemming from the Cambridge Analytica scandal, remains in effect until 2040, highlighting persistent concerns over corporate accountability in handling user data.
As the lawsuit unfolds, it underscores ongoing tensions between corporate growth, cybersecurity responsibility, and the challenges faced by whistleblowers seeking to safeguard user privacy in the digital age.