Meta Sued by Former Executive Over Systemic Cybersecurity Flaws in WhatsApp
A former top cybersecurity executive for WhatsApp has filed a lawsuit against the company’s parent, Meta, alleging that Meta systematically disregarded critical security flaws, endangered billions of users, and retaliated against him for exposing the failures.
Attaullah Baig, who served as WhatsApp’s head of security from 2021 until his termination in February 2025, claims in the suit that approximately 1,500 Meta engineers had unrestricted access to user data without proper oversight or an audit trail. He alleges this is a potential violation of a 2020 U.S. government order that imposed a USD5 billion penalty on Meta for past data protection failures.
According to the 115-page complaint, filed in U.S. federal court in San Francisco, Baig discovered through internal security testing that engineers could “move or steal user data,” including contact information, IP addresses, and profile photos, without detection.
The lawsuit also claims that Meta failed to address the hacking and takeover of more than 100,000 accounts each day, ignoring its proposed fixes in favour of prioritising user growth. Baig says he repeatedly raised his concerns with senior executives, including WhatsApp head Will Cathcart and Meta CEO Mark Zuckerberg.
In a statement, Carl Woog, WhatsApp’s vice president of communications, strongly disputed the allegations. “Sadly, this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team,” Woog said. The company maintains that Baig’s termination was due to “poor performance,” a claim it says was validated by multiple senior engineers.
Baig’s lawsuit, however, alleges he faced escalating retaliation after his initial reports in 2021, including negative performance reviews and verbal warnings, which he believes were a pretext for his eventual firing. The suit also notes that before filing the current litigation, Baig had filed complaints with federal regulators, including the Securities and Exchange Commission, and the Department of Labour’s Occupational Safety and Health Administration. However, Meta notes that the OSHA complaint was dismissed.
The case adds to ongoing scrutiny of Meta’s data protection practices across its platforms, which include Facebook, Instagram and WhatsApp, serving billions of users globally. Meta agreed to the 2020 government settlement following the Cambridge Analytica scandal, which involved improper harvesting of data from 50 million Facebook users. The consent order remains in effect until 2040. In his whistleblower complaint, Baig is requesting reinstatement, back pay and compensatory damages, along with potential regulatory enforcement action against the company.
