A former WhatsApp security chief has filed a lawsuit against Meta, accusing the company of serious cybersecurity weaknesses that risk user privacy. Attaullah Baig, who led security at WhatsApp until 2024, claims Meta retaliated after he reported these issues to senior executives, including CEO Mark Zuckerberg.
Baig’s complaint, lodged in the U.S. District Court for the Northern District of California, states that upon joining WhatsApp in 2021, he uncovered major flaws violating federal laws and Meta’s 2020 privacy settlement with the Federal Trade Commission. He alleges that about 1,500 WhatsApp engineers had unrestricted access to sensitive user data, with no audit controls to prevent misuse.
Meta denied the claims, describing Baig’s dismissal as performance-related and dismissing his allegations as distorted. “Security is an adversarial space, and we pride ourselves in protecting people’s privacy,” the company said.
Baig, backed by whistleblower group Psst.org and law firm Schonbrun, Seplow, Harris, Hoffman and Zeldes, warned Meta repeatedly about regulatory risks posed by these security gaps, including the absence of a 24-hour security operations centre and inadequate monitoring of data access.
The lawsuit also details Baig’s internal criticism shortly after his disclosures, his November 2024 complaint to the Securities and Exchange Commission about undisclosed cybersecurity risks, and subsequent filings to higher authorities. He was dismissed in Meta’s February 2025 layoffs, which affected 5% of staff, officially for poor performance.
Baig’s legal team argues his firing was linked to his whistleblowing, pointing to years of alleged retaliation.