Whistleblower Files Lawsuit Against Meta Alleging WhatsApp Security Flaws

Former WhatsApp security head Attaullah Baig has filed a lawsuit against Meta, alleging that the company ignored critical security and privacy flaws that endangered billions of users of the messaging app. The case, filed in the U.S. District Court for the Northern District of California, claims that thousands of WhatsApp and Meta employees had unrestricted access to sensitive user data, including profile pictures, location, group memberships, and contact lists. Baig further asserted that Meta failed to adequately address the hacking of over 100,000 accounts daily and rejected his proposed security measures.

Baig stated that he repeatedly warned Meta’s top executives, including CEO Mark Zuckerberg, about the risks posed by these security gaps. According to the lawsuit, in response, his managers retaliated against him, leading to his dismissal in February 2025. Represented by whistleblower organization Psst.org and the law firm Schonbrun, Seplow, Harris, Hoffman & Zeldes, Baig argued that Meta violated a 2019 privacy settlement with the Federal Trade Commission (FTC) and securities laws requiring disclosure of risk to shareholders. He highlighted the wide-ranging harms users face and stressed the need for Meta to be held accountable while prioritizing user interests.

Meta denied Baig’s allegations, stating that former employees often make distorted claims after dismissal, misrepresenting the ongoing work of its teams. WhatsApp spokesperson Carl Woog emphasized the company’s commitment to user privacy and described security as an adversarial space where the company maintains a strong record of protection.

The lawsuit comes in the context of past controversies over privacy and security at Meta. In 2019, the company, then known as Facebook, paid a $5 billion fine and strengthened its privacy policies to settle allegations regarding the misuse of user data by Cambridge Analytica. Zuckerberg highlighted that privacy was central to the company’s vision, pledging operational and product changes to comply with legal and ethical standards.

Baig is part of a series of whistleblowers accusing Meta of wrongdoing related to privacy, child safety, and the spread of misinformation across its platforms, including Facebook and Instagram. Recently, Whistleblower Aid reported that six current and former Meta employees informed Congress and federal regulators about potential harm to children on Meta’s virtual reality products. Two former employees were scheduled to testify in a Senate hearing, alleging that Meta deleted or altered internal safety research involving children as young as ten who were exposed to sexual abuse, harassment, or violence. Meta has dismissed these claims as baseless, citing selectively leaked internal documents.

Previous whistleblowers, including Sarah Wynn Williams and Frances Haugen, have similarly alleged sexual harassment, inappropriate behavior by senior executives, and knowingly creating products that harmed teenagers. Meta’s representatives have contested these claims, emphasizing mitigation efforts and acknowledging the platform reflects both positive and negative aspects of human behavior.

Baig joined WhatsApp in January 2021 as head of security. He conducted a “red-teaming” exercise to simulate attacks and assess vulnerabilities. Despite identifying about 1,500 employees with unrestricted access to sensitive data—violating the company’s 2020 FTC privacy settlement—his repeated attempts to address these issues were largely ignored, with management directing him to focus on less critical security tasks. In October 2022, he documented critical cybersecurity problems, highlighting violations of the FTC order and securities laws. His security proposals, including additional login verification and profile picture protection, were blocked by Meta.

Baig reported ongoing real-world harm, such as account compromises, impersonation, and targeted attacks on journalists. After alerting Zuckerberg and filing a complaint with the SEC, he faced retaliatory threats and was eventually terminated. He also filed a complaint with the Occupational Safety and Health Administration. Baig described Meta as his “dream job” due to its scale and impact but expressed concern that the company treats users like mere numbers rather than prioritizing their safety and privacy.