Attaullah Baig via The New York Times, Background: - Attaullah Baig, former WhatsApp head of security, has sued Meta in U.S. court, alleging privacy lapses and retaliation.
- He claims around 1,500 engineers had “unrestricted access” to sensitive user data without oversight.
- Baig alleges Meta ignored mass account takeover issues, violating a 2020 FTC privacy order.
- Meta denies wrongdoing, saying Baig was dismissed for poor performance and OSHA backed that position.
A former WhatsApp security executive has filed a federal lawsuit against parent company Meta, accusing it of overlooking systemic security flaws that exposed user data and retaliating against him for raising alarms. The lawsuit, lodged in the U.S. District Court for the Northern District of California, comes from Attaullah Baig, who joined WhatsApp in 2021 and served as its head of security until his termination earlier this year.
Allegations of Mass Data Access
In his 115-page complaint, Baig claims that nearly 1,500 WhatsApp engineers had unrestricted access to user data, including contact information, IP addresses and profile photos. He says the lack of audit trails meant employees could “move or steal user data without detection,” potentially putting the company in violation of federal law and a 2020 privacy settlement Meta reached with the Federal Trade Commission.
Baig further alleges that WhatsApp failed to address widespread daily account takeovers, claiming that more than 100,000 accounts were being hacked or hijacked every day. According to him, internal proposals to strengthen defenses were dismissed in favor of prioritizing user growth.
The lawsuit states that Baig repeatedly escalated his concerns to senior leaders, including WhatsApp head Will Cathcart and Meta CEO Mark Zuckerberg.
JOIN US TO STAY UPDATED ON YOUR FAVORITE MESSENGER APP!
Meta Pushes Back
Meta has strongly denied the allegations. A company spokesperson told CNBC:
“Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team. Security is an adversarial space, and we pride ourselves in building on our strong record of protecting people’s privacy.”
The company also pointed out that the Occupational Safety and Health Administration (OSHA) dismissed Baig’s earlier complaint, finding insufficient evidence of retaliation. Meta emphasized that Baig’s performance had been independently reviewed by multiple senior engineers before his termination in February 2025.
Who Is Attaullah Baig?
Baig is an Indian-origin cybersecurity professional with over two decades of experience. He graduated in Computer Science from NIT Warangal before completing a master’s degree at the University of Utah. Prior to WhatsApp, he held senior security roles at financial institutions including PayPal and Capital One. At WhatsApp, Baig oversaw data security and compliance for the messaging app, which now has more than three billion users globally.
Regulatory and Legal Implications
The lawsuit could reignite scrutiny of Meta’s compliance with the FTC’s 2020 privacy order, which followed the Cambridge Analytica scandal and imposed a $5 billion penalty on the company. That consent order remains in effect until 2040 and requires strict oversight of how Meta handles user data.
Baig’s complaint also references potential violations of U.S. securities laws and has been filed alongside reports to the Securities and Exchange Commission (SEC). He is seeking reinstatement, back pay, compensatory damages, and possible regulatory enforcement against Meta.
What’s Next?
The case is expected to draw attention from regulators in the U.S. and abroad, as Meta continues to face scrutiny over its data practices. For billions of WhatsApp users, particularly in countries like India where the app dominates messaging, the lawsuit raises fresh concerns about privacy and internal safeguards.
Editor’s Note
While Baig’s lawsuit highlights serious allegations, it does not claim that WhatsApp user data has actually been misused. Meta firmly rejects the claims, and regulators such as OSHA have previously sided with the company. The outcome of this case could shape future oversight of Meta’s data security practices.
ⓘ As a part of our ongoing support for startups and SMEs, we publish feature and resource articles that may include external links to third-party websites. While such content is selected at our editorial discretion, LAFFAZ Media is not responsible for the content or practices of external websites. For more information, please refer to our Terms and Conditions.
