Ex-WhatsApp executive sues Meta over alleged security failures / Photo: Kirill KUDRYAVTSEV - AFP
Ex-WhatsApp executive sues Meta over alleged security failures
The former top security executive at WhatsApp filed Monday a US federal lawsuit alleging that parent company Meta systematically violated cybersecurity regulations and retaliated against him for reporting the failures.
Attaullah Baig, who served as head of security for WhatsApp from 2021 to 2025, claims that approximately 1,500 engineers had unrestricted access to user data without proper oversight, potentially violating a US government order that imposed a $5 billion penalty on the company in 2020.
The lawsuit, filed in federal court in San Francisco, alleges Facebook-owner Meta failed to implement basic cybersecurity measures including adequate data handling and breach detection capabilities.
According to the 115-page complaint, Baig discovered through internal security testing that WhatsApp engineers could "move or steal user data" including contact information, IP addresses, and profile photos "without detection or audit trail."
The filing claims Baig repeatedly raised concerns with senior executives including WhatsApp head Will Cathcart and Meta CEO Mark Zuckerberg.
Meta representatives did not immediately respond to requests for comment.
Baig alleges he faced escalating retaliation after his initial reports in 2021, including negative performance reviews, verbal warnings, and ultimately termination in February 2025 for apparent "poor performance."
The lawsuit also claims Meta blocked implementation of security features intended to address account takeovers affecting an estimated 100,000 WhatsApp users daily, choosing instead to prioritize user growth.
Prior to joining Meta, Baig worked in cybersecurity roles at PayPal, Capital One, and other major financial institutions.
He filed complaints with federal regulators including the Securities and Exchange Commission before pursuing the current litigation.
The case adds to ongoing scrutiny of Meta's data protection practices across its platforms, which include Facebook, Instagram, and WhatsApp, serving billions of users globally.
Meta agreed to the 2020 government settlement following the Cambridge Analytica scandal, which involved improper harvesting of data from 50 million Facebook users. The consent order remains in effect until 2040.
In his whistleblower complaint, Baig is requesting reinstatement, back pay, and compensatory damages, along with potential regulatory enforcement action against the company.
In a separate case targeting Meta first reported in the Washington Post on Monday, current and former employees allege the company suppressed research on child safety risks in its virtual reality products.
Meta denies these claims, stating it prioritizes youth safety and complies with privacy laws.
胡-L.Hú--THT-士蔑報
