An Indian-origin former Meta employee has filed a lawsuit against the social media giant, accusing it of ignoring “systemic cybersecurity failures” in its WhatsApp messaging platform and retaliating against him for raising the alarm.
Attaullah Baig was appointed WhatsApp’s head of security in 2021.
The complaint, filed Monday in the US District Court for the Northern District of California, comes from Attaullah Baig, who served as WhatsApp’s head of security after joining the company in 2021. According to a report by CNBC, Baig alleges that his disclosures about serious vulnerabilities, including broad employee access to user data, were dismissed internally and ultimately led to his job loss.
According to the lawsuit, Baig discovered during a security test that roughly 1,500 WhatsApp engineers had “unrestricted access” to user data, including sensitive personal information. The suit claims employees “could move or steal such data without detection or audit trail,” potentially exposing the platform to compliance risks under federal law and a 2020 privacy settlement Meta reached with the Federal Trade Commission.
Meta, however, rejected Baig’s accusations. In a statement, a company spokesperson said, “Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team. Security is an adversarial space, and we pride ourselves in building on our strong record of protecting people’s privacy.”
Who is Attaullah Baig?
Attaullah Baig is an Indian-origin cybersecurity professional with more than two decades of experience. He earned his Bachelor of Technology in Computer Science from the National Institute of Technology (NIT) Warangal. He then went on to pursue a Master of Science in Computer Science at the University of Utah, as per his LinkedIn profile.
Baig was appointed WhatsApp’s head of security in 2021. His role involved overseeing the app’s compliance and safeguarding user data at one of the world’s most widely used messaging services.
The lawsuit claims that shortly after his initial “cybersecurity disclosure,” Baig began receiving negative performance reviews, and within months, was subject to what he describes as systemic retaliation. He also filed complaints with the Securities and Exchange Commission (SEC) and the Occupational Safety and Health Administration (OSHA), both alleging retaliation and compliance failures.
Meta ultimately terminated him in February this year, citing poor performance during a round of layoffs.
Baig’s legal team, including whistleblower advocacy group Psst.org, argues that his dismissal was directly tied to his disclosures. The suit further alleges that Meta failed to maintain key security measures, such as a 24-hour security operations center and systems to properly monitor data access.
The lawsuit does not allege that user data was actually stolen or compromised, but it contends that WhatsApp’s internal practices left the platform vulnerable and put millions of users’ privacy at risk.