A former top cybersecurity executive at WhatsApp filed a lawsuit on Monday alleging that parent company Meta disregarded internal flaws in the app’s digital defenses and exposed billions of its users. He says the company systematically violated cybersecurity regulations and retaliated against him for reporting the failures.
Attaullah Baig, who served as head of security for WhatsApp from 2021 to 2025, claims that approximately 1,500 engineers had unrestricted access to user data without proper oversight, potentially violating a US government order that imposed a $5bn penalty on the company in 2020.
He also claimed the company failed to remedy the hacking and takeover of more than 100,000 accounts each day, ignoring his pleas and proposed fixes and choosing instead to prioritize user growth. The lawsuit, filed in US federal court in San Francisco, alleges Facebook-owner Meta failed to implement basic cybersecurity measures, including adequate data handling and breach detection capabilities.
According to the 115-page complaint, Baig discovered through internal security testing that WhatsApp engineers could “move or steal user data” including contact information, IP addresses and profile photos “without detection or audit trail”.
The filing claims Baig repeatedly raised concerns with senior executives, including the WhatsApp head, Will Cathcart, and Meta CEO, Mark Zuckerberg. Meta acquired Whatsapp for $19bn in 2014. The app now boasts three billion users, according to Meta.
WhatsApp’s vice president of communications Carl Woog wrote in a statement, “Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team.”
Baig alleges he faced escalating retaliation after his initial reports in 2021, including negative performance reviews, verbal warnings and ultimately termination in February 2025 for apparent “poor performance”.
The company emphasized that Baig left due to poor performance, with multiple senior engineers independently validating that his work was below expectations. Meta noted in a statement that the Department of Labor’s Occupational Safety and Health Administration dismissed Baig’s initial complaint, finding that it had not retaliated against him.
Before joining Meta, Baig worked in cybersecurity roles at PayPal, Capital One and other major financial institutions.
He filed complaints with federal regulators including the Securities and Exchange Commission before pursuing the current litigation.
after newsletter promotion
The case adds to ongoing scrutiny of Meta’s data protection practices across its platforms, which include Facebook, Instagram and WhatsApp, serving billions of users globally.
Meta agreed to the 2020 government settlement following the Cambridge Analytica scandal, which involved improper harvesting of data from 50 million Facebook users. The consent order remains in effect until 2040.
In his whistleblower complaint, Baig is requesting reinstatement, back pay and compensatory damages, along with potential regulatory enforcement action against the company.