Ex-WhatsApp cybersecurity executive says Meta endangered billions of users in new suit.
A former top cybersecurity executive at WhatsApp filed a lawsuit on Monday alleging that parent company Meta disregarded internal flaws in the app’s digital defenses and exposed billions of its users. He says the company systematically violated cybersecurity regulations and retaliated against him for reporting the failures.
Attaullah Baig, who served as the head of security for WhatsApp from 2021 to 2025, claims that approximately 1,500 engineers had unrestricted access to user data without proper oversight, potentially violating a US government order that imposed a $5bn penalty on the company in 2020.
He also claimed the company failed to remedy the hacking and takeover of more than 100,000 accounts each day, ignoring his pleas and proposed fixes and choosing instead to prioritize user growth. The lawsuit, filed in US federal court in San Francisco, alleges Facebook owner Meta failed to implement basic cybersecurity measures, including adequate data handling and breach detection capabilities.
Table of Contents
The Allegations
According to the 115-page complaint, Baig discovered through internal security testing that WhatsApp engineers could “move or steal user data” including contact information, IP addresses and profile photos “without detection or audit trail”.
The filing claims Baig repeatedly raised concerns with senior executives, including the WhatsApp head, Will Cathcart, and Meta CEO, Mark Zuckerberg. Meta acquired WhatsApp for $19bn in 2014. The app now boasts three billion users, according to Meta.
Baig alleges he faced escalating retaliation after his initial reports in 2021, including negative performance reviews, verbal warnings and ultimately termination in February 2025 for apparent “poor performance”.
The company emphasized that Baig left due to poor performance, with multiple senior engineers independently validating that his work was below expectations. Meta noted in a statement that the Department of Labor’s Occupational Safety and Health Administration dismissed Baig’s initial complaint, finding that it had not retaliated against him.
Before joining Meta, Baig worked in cybersecurity roles at PayPal, Capital One and other major financial institutions.
Meta’s Response
Meta reportedly denied the core allegations and said Baig was dismissed for poor performance. A WhatsApp spokesperson said the claims “misrepresent the ongoing hard work of our team” and disputed Baig’s characterization of his role and of the security posture at the company. Meta also pointed to prior reviews that it says validated its security practices.
The complaint arrives amid heightened scrutiny of Big Tech privacy and safety practices. Baig’s filing points to the company’s 2020 consent order with the FTC, a settlement that imposes long-running obligations on Meta and alleges that the reported operational shortcomings could amount to violations of that order and securities laws. Meta has faced earlier regulatory penalties and inquiries related to privacy practices. The consent order remains in effect until 2040.
In his whistleblower complaint, Baig is requesting reinstatement, back pay and compensatory damages, along with potential regulatory enforcement action against the company.
