According to Attaullah Baig, WhatsApp’s head of security from 2021 to 2025, over 1,500 engineers had unfettered access to customer data without enough control, possibly in violation of a 2020 US government decree that fined the company $5 billion. According to the case, which was submitted to a federal court in San Francisco, Meta neglected to put fundamental cybersecurity safeguards in place, such as sufficient data handling and breach detection tools.
Baig found through internal security testing that WhatsApp programmers could “move or steal user data” — including contact details, IP addresses, and profile photographs — “without detection or audit trail,” according to the 115-page lawsuit. The filing asserts Baig frequently voiced his concerns to high-ranking executives, such as Mark Zuckerberg, CEO of Meta, and Will Cathcart, head of WhatsApp. Following his initial allegations in 2021, Baig claims he was subjected to increasing levels of retaliation, which included verbal warnings, negative performance reviews, and firing in February 2025 for allegedly “poor performance.” According to the lawsuit, Meta prioritized user growth over implementing security safeguards meant to prevent account takeovers, which impact an estimated 100,000 WhatsApp users per day. Meta vehemently denied the accusations.
Carl Woog, WhatsApp’s vice president of communications, said AFP in a statement, “Unfortunately, this is a well-known scenario where a former employee is fired for subpar work and then goes public with false allegations that distort the continuous efforts of our team.” “We pride ourselves on building on our strong record of protecting people’s privacy, but security is an adversarial space,” Woog continued. The organization claimed that Baig’s departure was due to subpar performance, with several senior engineers independently confirming that his work fell short of expectations. Additionally, Meta mentioned that Baig’s initial complaint was dismissed by the Department of Labor’s Occupational Safety and Health Administration, which concluded that Meta had not retaliated against him.
Baig had cybersecurity positions at PayPal, Capital One, and other significant financial organizations before joining Meta. Prior to launching the current lawsuit, he lodged concerns with federal officials, including the Securities and Exchange Commission. With Facebook, Instagram, and WhatsApp serving billions of users worldwide, Meta’s data privacy policies are under continued scrutiny as a result of this case. Following the Cambridge Analytica incident, which involved the unauthorized gathering of data from 50 million Facebook users, Meta consented to the government settlement in 2020. Until 2040, the consent order is still in force. In addition to possible regulatory enforcement action against the business, Baig is seeking compensatory damages, back pay, and reinstatement in his whistleblower lawsuit.
Current and former workers claim Meta hid research on the safety hazards to children in its virtual reality goods in a different complaint that was originally covered by the Washington Post on Monday. Meta disputes these allegations, claiming that company respects privacy laws and places a high priority on adolescent safety.
