Attaullah Baig, the former head of security for WhatsApp, has filed a federal lawsuit against Meta, alleging that the company knowingly ignored widespread cybersecurity vulnerabilities that jeopardized the data of billions of users.
The suit claims Meta violated privacy regulations and securities laws, and that Baig was fired in retaliation for raising these issues.
Attaullah Baig & Meta Lawsuit
According to the lawsuit, approximately 1,500 engineers had unchecked access to sensitive user data—including messages, location, contact lists, and profile photos, with insufficient oversight. Baig alleges this practice breached a 2020 privacy settlement with the U.S. Federal Trade Commission (FTC).
Internal tests conducted by Baig allegedly revealed up to 500,000 WhatsApp account compromises per day.
The lawsuit claims that despite these findings, Meta failed to implement basic security measures. These include proper monitoring and remediation protocols. Baig says he alerted senior leaders, including Meta CEO Mark Zuckerberg and WhatsApp head Will Cathcart, but they resisted his concerns.
The complaint details escalating retaliation against Baig after he flagged six critical cybersecurity failures in October 2022. He alleges the company downgraded his performance reviews, obstructed his projects, and ultimately terminated him in February 2025.
Baig also filed complaints with the Securities and Exchange Commission (SEC) and the Occupational Safety and Health Administration (OSHA). He has also teamed with Psst.org for his case, which is a non-profit organization that “keeps a check on the powerful.”
Meta’s Response
Meta has denied the accusations, calling Baig a disgruntled former employee. They claim he was fired for poor performance and attributing his claims to a “familiar playbook.” The company maintains its security practices are robust and that Baig has misrepresented the security team’s work.
Attaullah Baig’s lawsuit is the latest in a series of whistleblower complaints raising concerns about Meta’s handling of user data. His case draws comparisons to former Twitter security chief Peiter “Mudge” Zatko, highlighting ongoing scrutiny of how Big Tech prioritizes growth against user privacy and safety.