WhatsApp’s former head of cybersecurity filed a lawsuit on Monday alleging that parent company Meta disregarded internal flaws in the app’s digital defenses and exposed billions of its users. He says the company systematically violated cybersecurity regulations and retaliated against him for reporting the failures.
Attaullah Baig, who served as head of security for WhatsApp from 2021 to 2025, claims that approximately 1,500 engineers had unrestricted access to user data without proper oversight, potentially violating a US government order that imposed a $5bn penalty on the company in 2020.
He also claimed the company failed to remedy the hacking and takeover of more than 100,000 accounts each day, ignoring his pleas and proposed fixes and choosing instead to prioritize user growth. The lawsuit, filed in US federal court in San Francisco, alleges Facebook-owner Meta failed to implement basic cybersecurity measures, including adequate data handling and breach detection capabilities.
According to the 115-page complaint, Baig discovered through internal security testing that WhatsApp engineers could “move or steal user data” including contact information, IP addresses and profile photos “without detection or audit trail”.
The filing claims Baig repeatedly raised concerns with senior executives, including the WhatsApp head, Will Cathcart, and Meta CEO, Mark Zuckerberg. Meta acquired Whatsapp for $19bn in 2014.
Meta representatives did not immediately respond to requests for comment. A Meta spokesperson, Andy Stone, wrote on Threads, the company’s text-based social network: “Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team.”
Baig alleges he faced escalating retaliation after his initial reports in 2021, including negative performance reviews, verbal warnings and ultimately termination in February 2025 for apparent “poor performance”.
Before joining Meta, Baig worked in cybersecurity roles at PayPal, Capital One and other major financial institutions.
He filed complaints with federal regulators including the Securities and Exchange Commission before pursuing the current litigation.
The case adds to ongoing scrutiny of Meta’s data protection practices across its platforms, which include Facebook, Instagram and WhatsApp, serving billions of users globally.
skip past newsletter promotion Sign up to TechScape Free weekly newsletter A weekly dive in to how technology is shaping our lives Enter your email address Sign up Privacy Notice: Newsletters may contain information about charities, online ads, and content funded by outside parties. If you do not have an account, we will create a guest account for you on Newsletters may contain information about charities, online ads, and content funded by outside parties. If you do not have an account, we will create a guest account for you on theguardian.com to send you this newsletter. You can complete full registration at any time. For more information about how we use your data see our Privacy Policy . We use Google reCaptcha to protect our website and the Google Privacy Policy and Terms of Service apply. after newsletter promotion
Meta agreed to the 2020 government settlement following the Cambridge Analytica scandal, which involved improper harvesting of data from 50 million Facebook users. The consent order remains in effect until 2040.
In his whistleblower complaint, Baig is requesting reinstatement, back pay and compensatory damages, along with potential regulatory enforcement action against the company.