Ex-WhatsApp security chief files suit over privacy failures at Meta

A former Meta employee has filed a lawsuit accusing the company of allowing “systemic cybersecurity failures” at WhatsApp that put user privacy at risk.

The complaint, filed Monday in U.S. District Court for the Northern District of California, comes from Attaullah Baig, WhatsApp’s former head of security. Baig alleges Meta retaliated against him after he raised concerns, including those directly to CEO Mark Zuckerberg, about serious flaws in the messaging app.

Ex-WhatsApp security chief claims Meta ignored privacy risks

The lawsuit, filed in U.S. District Court for the Northern District of California, alleges that after joining WhatsApp in 2021, Baig uncovered security flaws that breached federal securities laws and Meta’s obligations under a 2020 Federal Trade Commission (FTC) privacy settlement.

The case emerges against the backdrop of Meta’s broader legal battles, including its recent request for a U.S. federal judge to dismiss the FTC’s antitrust suit. That case accuses Meta of unlawfully consolidating power in the social media market by acquiring Instagram and WhatsApp.

In its defence, Meta argues the FTC has failed to provide sufficient evidence that the deals were anticompetitive or harmful to consumers. The company contends that Instagram and WhatsApp have thrived under its ownership, benefiting from significant investments, improved security, and enhanced features. As earlier reported by Cryptopolitan, Meta also rejects the FTC’s narrow market definition, pointing out that platforms like TikTok, YouTube, and Reddit compete directly for users’ attention.

In the current case, Baig claimed that in a security test with Meta’s central team, he found that about 1,500 WhatsApp engineers had unrestricted access to sensitive user data and could move or steal it without detection or audit logs. Meta disputed Baig’s allegations in a statement and sought to downplay his position and responsibilities.

“Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team,” the spokesperson wrote. “Security is an adversarial space, and we pride ourselves in building on our strong record of protecting people’s privacy.”

Whistleblower group Psst.org represents Baig alongside the law firm Schonbrun, Seplow, Harris, Hoffman & Zeldes.  While the lawsuit does not allege that user data was directly compromised, it claims Baig repeatedly warned his superiors that WhatsApp’s cybersecurity shortcomings created serious regulatory compliance risks.

The issues cited are the platform’s lack of a 24-hour security operations center appropriate for its size, inadequate systems to track employee access to user data, and the absence of a comprehensive inventory of data-storing systems, making proper protection and regulatory disclosure impossible.

Baig’s attorneys argue in the lawsuit that his superiors repeatedly criticized his work and that he began receiving “negative performance feedback” just three days after his initial cybersecurity disclosure.

Late last year, Baig informed the SEC of the alleged “cybersecurity deficiencies and failure to inform investors about material cybersecurity risks,” the suit says. A month later, Baig sent Zuckerberg the second of two letters, informing the CEO that he “had filed the SEC complaint” and was “requesting immediate action to address both the underlying compliance failures and the unlawful retaliation.”

Meta denies allegations, calling the lawsuit a “distorted” attack on its record

In January, according to the lawsuit, Baig filed a complaint with the Occupational Safety and Health Administration, noting “the systemic retaliation” he alleged he received after the security disclosures.

The next month, the complaint says Meta dismissed Baig, citing “poor performance”. This occurred during the company’s February layoffs, which affected 5% of its workforce.

The lawsuit argues that the timing and circumstances of Baig’s termination show a clear link to his protected activity. It came soon after his external regulatory filings, capping over two years of alleged systemic retaliation over his cybersecurity disclosures and pushing for compliance with federal law and regulatory orders.

Baig’s attorneys said he filed a notice on Monday to move his SEC-related claims to federal court and had already exhausted all administrative remedies before pursuing the case.

If you're reading this, you’re already ahead. Stay there with our newsletter.