Ex-Meta security head alleges major security flaws in WhatsApp, sues the company

WhatsApp

Meta is facing a fresh legal battle after a former WhatsApp executive alleged that the messaging app suffers from “systemic cybersecurity failures” that could compromise user privacy.

The lawsuit, filed in the US District Court for the Northern District of California, comes from Attaullah Baig, WhatsApp’s former head of security. Baig claims that upon joining in 2021, he uncovered flaws that violated US securities laws and a 2020 Federal Trade Commission privacy settlement. Among his allegations: roughly 1,500 WhatsApp engineers had unrestricted access to sensitive user data without audit trails, leaving room for potential misuse or theft.

Baig alleges that after raising these issues with top executives — including CEO Mark Zuckerberg — he faced retaliation. Within days of his first disclosure, he says he began receiving negative performance reviews. By late 2023, he had filed complaints with the SEC and OSHA, accusing Meta of both compliance failures and retaliation. Meta terminated Baig in February 2024, citing “poor performance” during a wave of layoffs affecting 5% of staff.

In its response, Meta strongly denied the claims, calling Baig’s role minor and his allegations “distorted.” A spokesperson said: “Security is an adversarial space, and we pride ourselves in building on our strong record of protecting people’s privacy.”

Baig, now represented by whistleblower group Psst.org and the law firm Schonbrun, Seplow, Harris, Hoffman and Zeldes, insists his termination was directly linked to his disclosures. The suit doesn’t allege that any user data was stolen but highlights lapses such as the lack of a 24-hour security operations center and poor monitoring of data access.

The case adds to ongoing scrutiny over Meta’s handling of privacy and compliance as regulators worldwide tighten oversight of tech giants.