Former Meta Security Head Files Whistleblower Suit Over WhatsApp Vulnerabilities

Ex-Meta Security Lead Accuses Company of Major WhatsApp Security Failures

Attaullah Baig, former head of security at WhatsApp, has initiated a whistleblower lawsuit against Meta, alleging that the messaging platform harbors systemic cybersecurity weaknesses that jeopardize user privacy. The suit, filed in the U.S. District Court for the Northern District of California, claims Baig identified critical vulnerabilities after joining WhatsApp in 2021.

According to the complaint, Baig discovered that roughly 1,500 WhatsApp engineers had unfettered access to sensitive user data, including private personal information. This access allegedly lacked adequate monitoring, allowing employees to move or exfiltrate data without detection or audit trails. Baig contends these security gaps violate federal securities laws and breach Meta’s obligations under a 2020 privacy settlement with the Federal Trade Commission (FTC).

Claims of Retaliation After Reporting Security Issues

The lawsuit asserts that Baig repeatedly informed Meta leadership, including CEO Mark Zuckerberg, about these cybersecurity deficiencies and their regulatory implications. Following his disclosures, Baig alleges he faced systemic retaliation, including negative performance reviews shortly after his initial report and eventual termination in February 2025 during a company-wide layoff affecting 5% of staff.

Baig also notified the Securities and Exchange Commission (SEC) in November 2024 about the alleged security risks and Meta’s failure to inform investors. Subsequent communications to Zuckerberg highlighted both the regulatory noncompliance and the retaliatory actions Baig claims to have endured. In January 2025, Baig filed a complaint with the Occupational Safety and Health Administration (OSHA) documenting this retaliation; Meta states the OSHA complaint was dismissed.

Meta Denies Allegations, Questions Baig’s Credibility

Meta responded by disputing Baig’s claims and downplaying his role within the company. A Meta spokesperson characterized the lawsuit as a familiar pattern where a former employee, allegedly dismissed for poor performance, brings forward distorted accusations. The company emphasized its commitment to privacy and security, asserting ongoing efforts to protect user data.

The suit also points to WhatsApp’s insufficient security infrastructure, including the absence of a 24-hour security operations center, inadequate monitoring systems for user data access, and a lack of comprehensive inventory of systems storing user data—factors that undermine proper protection and regulatory compliance.

Legal Representation and Next Steps

Baig is represented by whistleblower advocacy group Psst.org and the law firm Schonbrun, Seplow, Harris, Hoffman and Zeldes. His attorneys note that he has exhausted administrative remedies related to SEC claims before pursuing federal litigation. The case underscores ongoing tensions around corporate cybersecurity practices and regulatory transparency within major technology platforms.