Whistleblower Alleges Major Cybersecurity Failures
A former top security executive at WhatsApp has filed a federal lawsuit against Meta, claiming the company systematically violated cybersecurity regulations. Attaullah Baig, who served as WhatsApp’s head of security from 2021 to 2025, also alleges he was retaliated against after raising concerns internally.
Earlier, Meta Unveils AR Glasses with Heart Rate Monitoring & Navigation. Meta has announced the release of its next-generation AR glasses, Aria Gen 2, designed primarily for research purposes.
Engineers Had Unchecked Access to User Data
According to the complaint filed Monday in San Francisco federal court, Baig says that around 1,500 engineers had unrestricted access to user data. This, he claims, violated a 2020 U.S. government order that imposed a $5 billion fine on Meta over data privacy violations.
Baig’s 115-page complaint states that internal testing revealed engineers could “move or steal user data” such as contact lists, IP addresses, and profile photos — all without detection or an audit trail.
Repeated Warnings Ignored by Leadership
The lawsuit claims Baig repeatedly alerted senior leadership, including WhatsApp head Will Cathcart and Meta CEO Mark Zuckerberg. Despite this, no action was taken, and Baig alleges he was targeted with retaliation.
Starting in 2021, he says he received negative performance reviews and verbal warnings. In February 2025, he was ultimately terminated for what Meta claimed was “poor performance.”
Meta Allegedly Blocked Key Security Features
Baig also accuses Meta of intentionally blocking key security measures aimed at preventing account takeovers. According to him, over 100,000 WhatsApp users were being affected daily by account hijackings.
Instead of prioritizing security, the lawsuit claims Meta chose to focus on user growth, ignoring known vulnerabilities.
Meta Denies Allegations, Calls Them “Distorted”
Meta has strongly pushed back on the claims. In a statement, Carl Woog, WhatsApp’s VP of Communications, said:
“Sadly, this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims.”
He added that Baig’s work had been evaluated by multiple senior engineers and found lacking. The company also disputed Baig’s title, claiming he was not the head of security but a lower-level engineer.
Government Previously Dismissed Complaint
Meta pointed out that the U.S. Department of Labor’s Occupational Safety and Health Administration had already dismissed a related complaint by Baig. That ruling concluded that Meta had not retaliated against him.
Whistleblower Seeks Damages, Reinstatement
In his lawsuit, Baig is seeking reinstatement, back pay, and compensatory damages. He is also calling for regulatory enforcement action against Meta.
Before joining WhatsApp, Baig held cybersecurity roles at PayPal, Capital One, and other financial institutions.
Meta Faces Broader Scrutiny
The lawsuit adds to growing concerns about Meta’s handling of user data across platforms including Facebook, Instagram, and WhatsApp. The 2020 consent order from the U.S. Federal Trade Commission remains in effect until 2040, following Meta’s involvement in the Cambridge Analytica scandal.
Additional Complaints on Child Safety Research
On the same day Baig’s lawsuit was filed, the Washington Post reported that current and former Meta employees claim the company suppressed internal research about child safety risks in its virtual reality platforms.
Meta denies those claims as well, insisting it complies with privacy laws and prioritizes youth safety.
