Ex-WhatsApp Security Executive Sues Meta Over Alleged Data Breaches and Retaliation
A former senior security leader at WhatsApp has filed a federal lawsuit against Meta, accusing the company of neglecting basic cybersecurity standards and punishing him for raising concerns.
Attaullah Baig, who worked at WhatsApp between 2021 and 2025, claims that roughly 1,500 engineers had unrestricted access to user information without proper monitoring. He argues this could violate a 2020 U.S. government consent order that cost Meta $5 billion and requires stricter data protection practices.
According to the 115-page complaint, Baig’s internal tests showed that engineers could move or even steal user details—such as contacts, IP addresses, and profile photos—without detection. He says he repeatedly escalated his concerns to WhatsApp head Will Cathcart and Meta CEO Mark Zuckerberg, but instead of action, he faced retaliation.
Baig alleges the pushback began with poor performance reviews and verbal warnings, before his eventual dismissal in February 2025. He also claims Meta blocked stronger security features designed to combat account takeovers that were affecting an estimated 100,000 WhatsApp users every day, choosing to prioritize growth instead.
Meta, however, strongly disputes the allegations.
“This is a familiar playbook—an employee dismissed for poor performance making distorted claims,” Carl Woog, WhatsApp’s vice president of communications, told AFP. He insisted the company has a strong record of protecting user privacy and that multiple senior engineers had confirmed Baig’s work fell short of expectations.
Meta further said that Baig exaggerated his role, describing himself as head of security when, according to the company, he held a lower-level engineering position. The company also pointed out that the Department of Labor dismissed Baig’s initial retaliation complaint.
Before joining Meta, Baig held cybersecurity roles at PayPal, Capital One, and other financial institutions. His lawsuit seeks reinstatement, back pay, and damages, along with potential regulatory action against Meta.
The case adds to ongoing scrutiny of the tech giant’s privacy and safety practices. Meta has already been under pressure since the Cambridge Analytica scandal, which led to the 2020 settlement that remains in force until 2040.
Separately, Meta is also facing claims from current and former employees that the company downplayed research on risks to children using its virtual reality platforms—allegations Meta denies, saying it prioritizes youth safety.
