Former Meta employee sues over alleged WhatsApp security failures

New Delhi: A former Meta employee has filed a lawsuit against the company alleging that its WhatsApp messaging service contained “systemic cybersecurity failures” that could potentially compromise user privacy, according to the report.

Attaullah Baig, who served as WhatsApp’s head of security, alleged that Meta retaliated against him after he raised concerns with senior leaders, including chief executive Mark Zuckerberg.

The case, lodged in the US District Court for the Northern District of California, claims that Baig identified security flaws after joining WhatsApp in 2021. The suit says these issues could have violated federal securities laws and Meta’s obligations under a 2020 privacy settlement with the Federal Trade Commission.

During a security test conducted with Meta’s central security team, Baig alleged he “discovered that approximately 1,500 WhatsApp engineers had unrestricted access to user data, including sensitive personal information” and that the employees “could move or steal such data without detection or audit trail.”

A Meta spokesperson rejected the claims, stating, “Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team. Security is an adversarial space, and we pride ourselves in building on our strong record of protecting people’s privacy.”

Baig is being represented by the whistleblower organisation Psst.org and the law firm Schonbrun, Seplow, Harris, Hoffman and Zeldes.

While the lawsuit does not allege that user data was compromised, it says Baig repeatedly warned superiors that the security gaps created regulatory compliance risks. The cited shortcomings include the lack of a 24-hour security operations centre, insufficient monitoring of user data access, and the absence of “a comprehensive inventory of systems storing user data, preventing proper protection and regulatory disclosure.”

The filing further claims that Baig began receiving “negative performance feedback” within three days of his first disclosure. In November, he reportedly notified the Securities and Exchange Commission of “cybersecurity deficiencies and failure to inform investors about material cybersecurity risks.”

The following month, Baig sent Zuckerberg a letter stating he “had filed the SEC complaint” and was “requesting immediate action to address both the underlying compliance failures and the unlawful retaliation.”

Baig later filed a complaint with the Occupational Safety and Health Administration, alleging “systemic retaliation” after his disclosures. According to the report, Meta said that complaint was dismissed.

The suit notes that Baig was dismissed in February, during a round of layoffs affecting 5% of staff, with Meta citing “poor performance.” His lawyers argue the timing shows “clear causal connection to his protected activity” and represents “the culmination of over two years of systemic retaliation for his cybersecurity disclosures and advocacy for compliance with federal law and regulatory orders.”

His legal team said Baig has now withdrawn his SEC-related claims to federal court and “exhausted his administrative remedies prior to bringing this action.”