Ex-Executive Accuses Meta
WhatsApp’s former cybersecurity chief, Attaullah Baig, sued Meta on Monday in federal court in San Francisco, accusing the company of knowingly ignoring internal vulnerabilities that exposed billions of users to attacks. The suit claims Meta systematically disregarded cybersecurity protocols and persecuted him for speaking out.
Baig, who was WhatsApp’s security chief from 2021 to 2025, alleges that approximately 1,500 engineers had unfettered access to personal user data without adequate controls. In the filing, this is said to be in direct contravention of a 2020 US government order that earlier imposed a $5 billion fine on Meta for privacy infractions.
Ignored Warnings and Daily Account Takeovers
The 115-page suit spells out Baig’s warnings to top executives, such as WhatsApp CEO Will Cathcart and Meta CEO Mark Zuckerberg, regarding hacking attacks on more than 100,000 accounts every day. Baig claims the company gave preference to user expansion over fundamental cybersecurity standards like data management procedures and breach-detection tools.
Internal testing allegedly showed that WhatsApp engineers were able to transfer or steal user data such as contact lists, profile pictures, and IP addresses without either audit trail or detection. Baig alleges that these issues were repeatedly brushed aside, leaving users at risk for data theft and abuse.
ALSO READ: Google Hit with $3.5 Billion EU Fine: Will This End Its Dominance in Digital Advertising?
Retaliation and Whistleblower Claims
Baig says he faced escalating retaliation after reporting the issues, including negative performance reviews, verbal warnings, and ultimately, termination in February 2025 for alleged “poor performance.” Before joining Meta, Baig had held cybersecurity roles at major firms including PayPal and Capital One, adding weight to his claims.
He has already complained to federal regulators, such as the Securities and Exchange Commission, and is asking to be reinstated, paid back pay, compensatory damages, and possible regulatory action against Meta.
Meta declined direct comment on the suit. A spokesperson, Andy Stone, wrote on the company’s platform Threads, calling the allegations “distorted claims” of a former staffer who had been terminated for performance issues.
The lawsuit contributes to continued scrutiny of Meta’s platforms Facebook, Instagram, and WhatsApp of data protection habits. The 2020 consent decree of the Cambridge Analytica scandal that involved the use of data from 50 million Facebook users will expire in 2040. The lawsuit again brings into question the firm’s dedication to cybersecurity and the privacy of users.
