A former senior security leader at WhatsApp has filed a federal lawsuit accusing parent company Meta of systematically violating cybersecurity regulations and retaliating against him for raising concerns.
Attaullah Baig, who served as WhatsApp’s head of security from 2021 to 2025, claims roughly 1,500 engineers had unrestricted access to user data without proper oversight. He argues this practice may have breached a 2020 U.S. government consent order that fined Meta $5 billion and imposed strict data-protection requirements.
Filed in federal court in San Francisco, the suit alleges Meta failed to adopt fundamental safeguards, including proper data handling and breach detection systems. According to Baig’s 115-page complaint, internal testing revealed that WhatsApp engineers could “move or steal user data” — such as contact lists, IP addresses, and profile photos — “without detection or audit trail.”
Baig says he repeatedly escalated these concerns to senior leaders, including WhatsApp chief Will Cathcart and Meta CEO Mark Zuckerberg. Instead of corrective action, he claims he faced retaliation beginning in 2021, including negative reviews, formal warnings, and ultimately termination in February 2025 for what Meta labeled “poor performance.”
The lawsuit further alleges Meta blocked rollout of security tools aimed at curbing account takeovers that Baig estimates affect 100,000 WhatsApp users daily. The company, he claims, chose to prioritize growth metrics over safety.
Meta strongly rejected the accusations.
“This is a familiar playbook in which a former employee dismissed for poor performance later goes public with distorted claims,” Carl Woog, WhatsApp’s vice president of communications, said in a statement. He added: “Security is an adversarial space, and we are proud of our strong record protecting people’s privacy.”
Meta maintains Baig’s dismissal was performance-related, citing senior engineers who reviewed his work. The company also pointed out that the U.S. Department of Labor’s Occupational Safety and Health Administration previously dismissed Baig’s retaliation complaint. Additionally, Meta disputes Baig’s claim of being “head of security,” characterizing him instead as a lower-level engineer.
Before joining Meta, Baig held cybersecurity roles at PayPal, Capital One, and other financial institutions.
The case intensifies scrutiny of Meta’s handling of user data across its platforms — Facebook, Instagram, and WhatsApp — which serve billions worldwide. Meta has been under a binding 20-year consent order with U.S. regulators since the 2018 Cambridge Analytica scandal, which exposed data misuse involving 50 million Facebook users.
Baig is seeking reinstatement, back pay, compensatory damages, and regulatory enforcement action against Meta.
Meanwhile, in a separate case reported by The Washington Post, current and former employees accuse Meta of suppressing internal research on child safety risks in its virtual reality products. Meta denies those claims, insisting it prioritizes youth protection and complies with privacy laws.
