Former WhatsApp Security Head Sues Meta Over Alleged Security Failures and Retaliation

Former WhatsApp executive Attaullah Baig has sued Meta, alleging the company failed to implement basic cybersecurity measures on its WhatsApp messaging platform. Baig claims Meta had 1,500 engineers with unrestricted access to user data without oversight, potentially violating a $5 billion US government order. He also alleges retaliation for reporting the failures, including negative performance reviews, verbal warnings, and termination. Baig requests reinstatement, back pay, and compensatory damages.

Former WhatsApp executive Attaullah Baig has filed a lawsuit against Meta, alleging that the company failed to implement basic cybersecurity measures on its WhatsApp messaging platform. Baig, who served as head of security for WhatsApp from 2021 to 2025, claims that approximately 1,500 engineers had unrestricted access to user data without proper oversight, potentially violating a 2020 US government order that imposed a $5 billion penalty on the company [1].

The lawsuit, filed in federal court in San Francisco, alleges that Meta failed to implement adequate data handling and breach detection capabilities. Baig discovered through internal security testing that WhatsApp engineers could "move or steal user data" -- including contact information, IP addresses, and profile photos -- "without detection or audit trail" [2].

Baig claims that he repeatedly raised concerns with senior executives, including WhatsApp head Will Cathcart and Meta CEO Mark Zuckerberg, but faced escalating retaliation after his initial reports in 2021. This retaliation included negative performance reviews, verbal warnings, and ultimately termination in February 2025 for alleged "poor performance" [3].

The lawsuit also alleges that Meta blocked the implementation of security features intended to address account takeovers affecting an estimated 100,000 WhatsApp users daily, choosing instead to prioritize user growth. Meta strongly disputes these allegations, stating that Baig left due to poor performance and that the Department of Labor's Occupational Safety and Health Administration dismissed Baig's initial complaint [1].

Prior to joining Meta, Baig worked in cybersecurity roles at PayPal and Capital One. He filed complaints with federal regulators, including the Securities and Exchange Commission, before pursuing the current litigation. The case adds to ongoing scrutiny of Meta's data protection practices across its platforms -- Facebook, Instagram, and WhatsApp -- which serve billions of users globally [2].

Meta agreed to a 2020 government settlement following the Cambridge Analytica scandal, which involved improper harvesting of data from 50 million Facebook users. The consent order remains in effect until 2040 [3].

In his whistleblower complaint, Baig is requesting reinstatement, back pay, and compensatory damages, along with potential regulatory enforcement action against the company.

References:

[1] https://www.france24.com/en/live-news/20250908-ex-whatsapp-executive-sues-meta-over-alleged-security-failures
[2] https://www.yahoo.com/news/articles/ex-whatsapp-executive-sues-meta-192758963.html
[3] https://www.cp24.com/news/world/2025/09/08/ex-whatsapp-executive-sues-meta-over-alleged-security-failures/