A former WhatsApp employee has filed a federal lawsuit accusing the company of ignoring serious cybersecurity flaws and retaliating against him when he raised concerns.
Attaullah Baig, who says he served as the messaging app’s head of security, claimed that in 2021 he discovered “systemic cybersecurity failures that posed serious risks to user data.”
According to Baig’s lawsuit, he found that around 1,500 WhatsApp engineers had unrestricted access to user data and could move or steal it without detection or an audit trail. He also alleged that WhatsApp lacked a 24/7 security operations center and that about 100,000 users were victims of account takeovers daily. He claimed the company employed far fewer security engineers than other companies of similar size.
Baig said he raised concerns with his boss on approximately five occasions, warning that “WhatsApp lacked fundamental cybersecurity knowledge required for regulatory compliance.” Despite escalating the issues to other superiors, including Meta CEO Mark Zuckerberg, his warnings were ignored. He said that instead of addressing the problems, the company retaliated against him with poor performance reviews and ultimately fired him.
In the lawsuit, Baig also claimed that the security flaws could violate a 2020 settlement with the Federal Trade Commission and securities laws.
WhatsApp responded through spokesperson Carl Woog, saying, “Sadly, this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team. Security is an adversarial space, and we pride ourselves in building on our strong record of protecting people’s privacy.”
Another WhatsApp representative, Zade Alsawah, said Baig’s official title was “software engineering manager” and that there were multiple directors above him reporting to the vice president of engineering. He also pointed to a complaint Baig filed with the Department of Labor’s Occupational Safety and Health Administration. Alsawah said OSHA found that Meta had not retaliated against him for raising security concerns. OSHA did not immediately respond to requests for comment.
Baig was hired as a software engineering manager at Meta in 2021 and, after onboarding, assumed the role of head of security at WhatsApp, according to his lawsuit.