• Attaullah Baig alleges significant security failures at Meta's WhatsApp.
• Claims 1,500 engineers had unmonitored access to sensitive user data.
• Meta disputes allegations, claiming Baig misrepresents his position and performance.

Attaullah Baig, former head of security at WhatsApp, has filed a federal lawsuit asserting that Meta systematically violated cybersecurity regulations and retaliated against him for raising security concerns. He claims that approximately 1,500 engineers had unrestricted access to user data without adequate oversight, potentially breaching a US government order that imposed a $5 billion penalty on the company. Baig's allegations highlight failures in basic cybersecurity measures and insufficient data handling protocols within WhatsApp, according to thejakartapost, lemonde, and indiatimes.

According to the lawsuit, Baig discovered through internal security tests that WhatsApp engineering staff could "move or steal user data" without detection. He reported these discoveries multiple times to senior executives, including Meta CEO Mark Zuckerberg, but alleges he encountered escalating retaliation instead of action on his concerns. His performance reviews grew negative, culminating in his termination in February 2025 for alleged "poor performance," as reported by thejakartapost and lemonde.

In the allegations, Baig specifically noted that Meta chose to prioritize user growth over implementing crucial security features designed to counteract regular account takeovers affecting around 100,000 WhatsApp users daily. Baig's lawsuit further states that WhatsApp lacked a 24/7 security operations center and employs fewer security engineers compared to similar firms. This breach of security practices could potentially violate existing FTC settlements and securities laws, as mentioned in reports by thejakartapost and indiatimes.

Meta strongly disputes Baig's claims, asserting that his dismissal related to "poor performance" and that his self-identification as the head of security oversimplifies his actual role at WhatsApp. Carl Woog, a spokesperson for Meta, stated that Baig's allegations follow a familiar narrative whereby a former employee responds to their dismissal with "distorted claims." Baig's issues with perceived cybersecurity risks and subsequent termination have drawn attention to Meta's compliance with privacy laws and internal management practices, as noted by lemonde and indiatimes.

Baig's whistleblower complaint includes a request for reinstatement and back pay, along with potential regulatory enforcement actions against Meta. His case appears to add to the scrutiny surrounding Meta's data protection practices which have been under examination since the Cambridge Analytica scandal, reflecting ongoing concerns about the privacy and security of user data across its platforms, including WhatsApp, as highlighted by thejakartapost, lemonde, and indiatimes.