A former senior security executive at WhatsApp has filed a federal lawsuit against Meta, accusing the company of violating cybersecurity rules and retaliating against him for exposing security lapses.
Attaullah Baig, who served as head of security for WhatsApp from 2021 to 2025, alleged that around 1,500 engineers had unrestricted access to user data without oversight, possibly breaching a 2020 U.S. government order that resulted in a $5 billion penalty against Meta.
The federal complaint, filed in San Francisco, claims Meta neglected essential cybersecurity protocols such as secure data handling and breach detection systems. According to Baig, internal security checks revealed WhatsApp engineers could “move or steal user data,” including IP addresses, profile photos, and contact information, without detection or audit trail.”
Baig stated he repeatedly raised these issues to top executives, including WhatsApp head Will Cathcart and Meta CEO Mark Zuckerberg. He claims he faced retaliation afterward, including poor performance reviews, verbal warnings, and his eventual dismissal in February 2025 for alleged “poor performance.”
The lawsuit also accuses Meta of blocking security measures aimed at preventing account takeovers affecting about 100,000 users daily, prioritizing growth instead.
Meta has firmly denied Baig’s claims. Carl Woog, vice president of communications at WhatsApp, said, “Sadly, this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team.” He added, “Security is an adversarial space, and we pride ourselves on building on our strong record of protecting people’s privacy.”
Meta insisted Baig was terminated for poor performance, with senior engineers supporting the assessment. The company also pointed out that the Department of Labor’s Occupational Safety and Health Administration had dismissed Baig’s initial complaint, ruling that Meta had not retaliated against him. Furthermore, Meta contested Baig’s self-description as “head of security,” calling it an exaggeration of his role.
Before joining Meta, Baig had held cybersecurity roles at Capital One, PayPal, and other major financial institutions.
This lawsuit adds to Meta’s ongoing scrutiny over user privacy and safety across its platforms, including Facebook, Instagram, and WhatsApp. The company has been under a binding consent order since the Cambridge Analytica scandal in 2020, which lasts until 2040.
Baig is seeking reinstatement, back pay, damages, and possible regulatory action. Meanwhile, in another case, current and former employees accuse Meta of suppressing research on child safety risks in its VR products, a claim Meta has also denied.
What you should know
Attaullah Baig, ex-WhatsApp security chief, is suing Meta for alleged security lapses and retaliation, claiming thousands of engineers had unchecked access to user data.
Meta denies the allegations, insisting Baig was dismissed for poor performance, but the case deepens scrutiny of the company’s data protection practices.
