Ex-WhatsApp executive sues Meta over alleged security failures, claims it retaliated against him 

SAN FRANCISCO – A former top security executive at WhatsApp filed a federal lawsuit on Sept 8 alleging that parent company Meta systematically violated cyber security regulations and retaliated against him for reporting the failures.

Mr Attaullah Baig, who served as head of security for WhatsApp from 2021 to 2025, claims that approximately 1,500 engineers had unrestricted access to user data without proper oversight, potentially violating a 2020 US government order that imposed a US$5 billion (S$6.4 billion) penalty on the company.

The lawsuit, filed in federal court in San Francisco, alleges that Meta failed to implement basic cyber security measures, including adequate data handling and breach detection capabilities.

According to the 115-page complaint, Mr Baig discovered through internal security testing that WhatsApp engineers could “move or steal user data” – including contact information, IP addresses, and profile photos – “without detection or audit trail”.

The filing claims Mr Baig repeatedly raised concerns with senior executives, including WhatsApp head Will Cathcart and Meta chief executive officer Mark Zuckerberg.

Mr Baig alleges he faced escalating retaliation after his initial reports in 2021, including negative performance reviews, verbal warnings, and ultimately termination in February 2025 for alleged “poor performance”.

The lawsuit also claims Meta blocked implementation of security features intended to address account takeovers affecting an estimated 100,000 WhatsApp users daily, choosing instead to prioritise user growth.

Meta strongly disputed the allegations.

“Sadly, this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team,” Mr Carl Woog, vice-president of communications at WhatsApp, told AFP in a statement.

“Security is an adversarial space, and we pride ourselves on building on our strong record of protecting people’s privacy,” Mr Woog added.

The company said Mr Baig left due to poor performance, with multiple senior engineers independently validating that his work was below expectations.

Meta also noted that the US Department of Labour’s Occupational Safety and Health Administration dismissed Mr Baig’s initial complaint, finding that Meta had not retaliated against him.

The company further insisted that Mr Baig’s self-description as head of security was an exaggeration of his role at WhatsApp, and that he was a lower-level engineer.

Prior to joining Meta, Mr Baig worked in cyber security roles at PayPal, Capital One, and other major financial institutions.

The case adds to ongoing scrutiny of Meta’s data protection practices across its platforms – Facebook, Instagram, and WhatsApp – which serve billions of users globally.

Meta agreed to the 2020 government settlement following the Cambridge Analytica scandal, which involved improper harvesting of data from 50 million Facebook users. The consent order remains in effect until 2040.

In his whistle-blower complaint, Mr Baig is requesting reinstatement, back pay, and compensatory damages, along with potential regulatory enforcement action against the company.

In a separate case targeting Meta first reported by the Washington Post on Sept 8, current and former employees allege the company suppressed research on child safety risks in its virtual reality products.

Meta denies these claims, stating it prioritises youth safety and complies with privacy laws. AFP