Former WhatsApp cybersecurity head, Attaullah Baig, has filed a lawsuit against Meta, alleging that the company endangered billions of users by neglecting critical security flaws. Baig, who served as WhatsApp's head of security from 2021 to 2025, claims that Meta prioritized user growth over implementing essential cybersecurity measures, potentially violating a US government order.
The lawsuit, filed in US federal court in San Francisco, alleges that approximately 1,500 engineers had unrestricted access to user data without proper oversight. Baig claims he discovered through internal security testing that WhatsApp engineers could "move or steal user data," including contact information, IP addresses, and profile photos, "without detection or audit trail."
According to the 115-page complaint, Baig repeatedly warned senior executives, including WhatsApp head Will Cathcart and Meta CEO Mark Zuckerberg, about these vulnerabilities. He alleges that Meta failed to remedy the hacking and takeover of over 100,000 accounts daily, ignoring his proposed fixes and prioritizing user growth instead.
The lawsuit highlights Meta's alleged failure to implement basic cybersecurity measures, including adequate data handling and breach detection capabilities. Baig also claims that Meta retaliated against him for reporting these failures, ultimately leading to his termination this year.
This legal action raises serious questions about Meta's commitment to user privacy and data security. The allegations, if proven true, could have significant implications for the company and its billions of WhatsApp users worldwide.
Key Allegations:
- Unrestricted access to user data for 1,500 engineers.
- Failure to address hacking and account takeovers.
- Neglect of basic cybersecurity measures.
- Retaliation against the whistleblower.
What's Next?
The lawsuit is now proceeding through the US federal court system. Meta has yet to issue a detailed public statement addressing the specific allegations raised in the complaint. The outcome of this case could significantly impact Meta's cybersecurity practices and its relationship with its users.