Former WhatsApp executive files lawsuit against Meta, claiming security breaches
In a significant development, Attaullah Baig, the former head of security for WhatsApp at Meta, has filed a lawsuit against the tech giant. Baig served in this role from 2021 to his dismissal in February 2025.
The lawsuit, filed in federal court in San Francisco, alleges that Meta violated cybersecurity regulations and failed to implement basic cybersecurity measures, including adequate data handling and breach detection capabilities. This potential breach of regulations could potentially be in contravention of a 2020 US government order that imposed a $5 billion penalty on the company.
Carl Woog, vice president of communications at WhatsApp, has stated that security is an adversarial space, and they pride themselves on building on their strong record of protecting people's privacy. However, the lawsuit alleges otherwise. It claims that approximately 1,500 engineers at WhatsApp had unrestricted access to user data without proper oversight. Moreover, it was discovered through internal security testing that WhatsApp engineers could move or steal user data without detection or audit trail.
Meta disputes Baig's self-description as head of security at WhatsApp, claiming he was a lower-level engineer. Nevertheless, Baig's role prior to joining Meta includes cybersecurity roles at PayPal, Capital One, and other major financial institutions.
The lawsuit also alleges that Meta blocked the implementation of security features intended to address account takeovers affecting an estimated 100,000 WhatsApp users daily. Meta denies these claims and prioritises youth safety, complying with privacy laws.
The case adds to ongoing scrutiny of Meta's data protection practices across its platforms - Facebook, Instagram, and WhatsApp. This scrutiny follows the Cambridge Analytica scandal in 2020. In a separate case, current and former Meta employees allege the company suppressed research on child safety risks in its virtual reality products.
Baig is requesting reinstatement, back pay, compensatory damages, and potential regulatory enforcement action against the company. The 2020 government consent order remains in effect until 2040.
Meta strongly disputes the allegations made in the lawsuit. The company maintains its commitment to privacy laws and youth safety. This latest development is sure to attract further attention to Meta's data handling practices and its adherence to regulatory requirements.
