Meta sued by ex-employee over WhatsApp flaws

A former employee of Meta sued the social media company on Monday for ignoring severe security and privacy flaws in WhatsApp that he alleges put user data at risk. Attaullah Baig, who served as WhatsApp’s head of security from 2021 to 2025, alleged that the messaging service contained ‘systemic cybersecurity failures’ that potentially compromise user privacy.

He claimed that the social media giant retaliated against him after he informed leaders, including CEO Mark Zuckerberg, about security vulnerabilities with the messaging service. He alleged that approximately 1,500 Meta engineers had unrestricted access to sensitive WhatsApp user data, without proper oversight.

Filed in the US District Court for the Northern District of California, the lawsuit alleged that after joiningWhatsApp, Baig discovered security flaws that violated federal securities laws and Meta's legal responsibilities under a privacy settlement with the Federal Trade Commission in 2020.

According to the suit, the company failed to implement fundamental cybersecurity measures, such as effective data handling and breach detection capabilities. As per the 115-page complaint, he found through internal security testing that WhatsApp developers may ‘move or steal user data’ such as contact information, IP addresses, and profile photographs, “without detection or audit trail".

In 2014, Meta acquired WhatsApp for $19bn. The app now boasts three billion users, according to the company.

A Meta spokesperson denied the allegation in a statement, downplaying Baig’s role and position at the company. “Sadly, this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team. Security is an adversarial space, and we pride ourselves in building on our strong record of protecting people’s privacy," the spokesperson said, reported CNBC.

He is being represented by Psst.org, a whistleblower organisation, and the law firm Schonbrun, Seplow, Harris, Hoffman, and Zeldes. The lawsuit makes no claims that any user data was exposed, but it does state that Baig informed superiors on many occasions that thecybersecurity failings created a regulatory compliance risk.

Among the alleged security problems are WhatsApp's inability to build a 24-hour security operations centre appropriate for its size and scope, mechanisms to track user data access, and “a comprehensive inventory of systems storing user data, preventing proper protection and regulatory disclosure.”

In the lawsuit, Baig's attorneys said that his superiors criticised his work on numerous occasions and that he began receiving ‘negative performance feedback’ within three days of his initial ‘cybersecurity disclosure.’

“The timing and circumstances of Baig’s termination establish a clear causal connection to his protected activity, occurring in close temporal proximity to his external regulatory filings and representing the culmination of over two years of systemic retaliation for hiscybersecurity disclosures and advocacy for compliance with federal law and regulatory orders,” the suit read.

Before joining Meta, Attaullah Baig served in cybersecurity roles at PayPal, Capital One, and other significant financial organisations.