TLDRs;
- Ex-WhatsApp security head alleges Meta ignored flaws letting 1,500 engineers access user data without safeguards.
- Lawsuit highlights parallels to past Meta scandals, including Cambridge Analytica and 2018 Facebook security breaches.
- Meta disputes claims, arguing Baig was dismissed for performance, not retaliation over whistleblowing disclosures.
- Allegations raise regulatory stakes, with FTC privacy settlement potentially exposing Meta to steep penalties.
Meta Platforms Inc. is once again under scrutiny following explosive allegations from a former senior executive at WhatsApp.
Attaullah Baig, who served as the messaging app’s head of security after joining in 2021, has filed a lawsuit in the U.S. District Court for the Northern District of California.
He claims Meta ignored systemic cybersecurity flaws that could expose millions of users’ private information and failed to meet its obligations under a 2020 privacy settlement with the Federal Trade Commission (FTC).
Baig’s complaint centers on accusations that roughly 1,500 WhatsApp engineers had unfettered access to sensitive user data without proper audit controls. He alleges that despite raising these issues directly with senior leadership, including Meta CEO Mark Zuckerberg, no corrective measures were taken. Instead, he says, his warnings were met with retaliation that ultimately cost him his job.
Claims of unrestricted data access
According to court filings, Baig discovered that WhatsApp’s internal systems allowed thousands of engineers to view user information without effective restrictions. He argues this setup not only violated privacy expectations but also exposed the company to risks of misuse and regulatory penalties.
While Baig did not allege that user data was actually breached or leaked, he insisted the vulnerabilities were severe enough to warrant immediate intervention. His lawsuit suggests Meta’s leadership chose to downplay the risks to avoid reputational harm and potential legal exposure.
Baig further claims that the lack of audit trails for engineer activity mirrors security oversights that have historically plagued Meta’s platforms. Critics note that these allegations evoke memories of past scandals, including the 2018 Cambridge Analytica incident, in which tens of millions of Facebook profiles were harvested without consent, and a separate vulnerability the same year that exposed data of 30 million users.
Retaliation allegations against Meta
The lawsuit goes beyond technical vulnerabilities to describe what Baig characterizes as retaliatory action. He says that just three days after first flagging the security gaps, he received negative performance reviews despite having no prior issues.
His dismissal in February 2025 was officially part of broader layoffs affecting 5% of Meta’s workforce. However, Baig contends the timing and abrupt shift in evaluations demonstrate a calculated move to silence his warnings. Before filing the lawsuit, Baig had already lodged complaints with the Securities and Exchange Commission (SEC) and the Occupational Safety and Health Administration (OSHA), a step whistleblowers are often required to take before pursuing civil litigation.
Meta has strongly rejected Baig’s claims, calling them inaccurate and overstated. A company spokesperson emphasized that Baig was let go solely for poor performance and not because of his disclosures.
Broader implications for Meta
If substantiated, Baig’s allegations could carry significant consequences. Meta is already bound by the FTC’s 2020 consent decree, which requires the company to implement robust data safeguards. Any violation could trigger heavy fines and intensified oversight.
Observers argue the case underscores persistent concerns that Meta’s massive scale makes it difficult to enforce consistent internal controls across its platforms. For users, the controversy reinforces long-standing anxieties about whether their private conversations and data are adequately protected.
