Former WhatsApp security chief sues Meta over alleged systemic cybersecurity failures
Complaint alleges 1,500 engineers had unrestricted access to sensitive user data
Plaintiff claims retaliation after escalating issues, seeks reinstatement and damages
Case could trigger FTC, SEC probes and wider scrutiny of data practices
A former senior security executive at WhatsApp filed a federal lawsuit Monday accusing Meta Platforms Inc. of ignoring repeated warnings about “systemic cybersecurity failures” that put user data at risk, and of retaliating against him after he raised the alarm, Bloomberg reported.
The complaint, filed in the U.S. District Court for the Northern District of California, says the flaws were reported up the chain of command, including to senior WhatsApp leaders and Meta CEO Mark Zuckerberg, but went unaddressed.
The Allegations
The suit, brought by Attaullah Baig (who says he was WhatsApp’s head of security from 2021 to 2025), alleges that roughly 1,500 WhatsApp engineers had unrestricted access to sensitive user data and could copy, move or steal information “without detection or an audit trail.”
Baig also claims the app lacked a full-time security operations centre and that WhatsApp suffered large numbers of account takeovers each day, problems he says may have breached Meta’s obligations under a 2020 Federal Trade Commission privacy order.
According to the filing, Baig repeatedly escalated the issues internally beginning in 2021 and later lodged complaints with federal regulators, including the Securities and Exchange Commission.
He says that, after pressing the matter, he was hit with negative performance reviews and ultimately terminated in February 2025, conduct he calls retaliatory. Baig is seeking reinstatement, back pay and compensatory damages and has asked regulators to investigate.
Meta’s Response
Meta reportedly denied the core allegations and said Baig was dismissed for poor performance. A WhatsApp spokesperson said the claims “misrepresent the ongoing hard work of our team” and disputed Baig’s characterization of his role and of the security posture at the company. Meta also pointed to prior reviews that it says validated its security practices.
The complaint arrives amid heightened scrutiny of Big Tech privacy and safety practices. Baig’s filing points to the company’s 2020 consent order with the FTC, a settlement that imposes long-running obligations on Meta and alleges that the reported operational shortcomings could amount to violations of that order and securities laws. Meta has faced earlier regulatory penalties and inquiries related to privacy practices.
Procedural Notes
Baig previously filed a retaliation complaint with the U.S. Department of Labor’s Occupational Safety and Health Administration. However, WhatsApp told reporters that OSHA found no evidence of retaliation in that administrative review.
Meta says multiple senior engineers independently evaluated Baig’s performance and reached adverse conclusions. Baig counters that the reviews were themselves part of the alleged retaliation.
If the allegations are borne out, they could deepen regulatory scrutiny of Meta and renew calls for tougher enforcement of corporate cybersecurity controls and whistleblower protections.
The case also underscores tensions that can arise when security teams clash with product and growth priorities at large platforms serving billions of users. Regulators, investors and privacy advocates will likely watch whether the lawsuit prompts new investigations or enforcement actions.
