Attaullah Baig, who served as head of security for WhatsApp from 2021 to 2025, claims that approximately 1,500 engineers had unrestricted access to user data without proper oversight, potentially violating a 2020 US government order that imposed a $5 billion penalty on the company.

The lawsuit, filed in federal court in San Francisco, alleges that Meta failed to implement basic cybersecurity measures, including adequate data handling and breach detection capabilities.

According to the 115-page complaint, Baig discovered through internal security testing that WhatsApp engineers could "move or steal user data" -- including contact information, IP addresses, and profile photos -- "without detection or audit trail."

The filing claims Baig repeatedly raised concerns with senior executives, including WhatsApp head Will Cathcart and Meta CEO Mark Zuckerberg.

Baig alleges he faced escalating retaliation after his initial reports in 2021, including negative performance reviews, verbal warnings, and ultimately termination in February 2025 for alleged "poor performance."

The lawsuit also claims Meta blocked implementation of security features intended to address account takeovers affecting an estimated 100,000 WhatsApp users daily, choosing instead to prioritize user growth.

Meta strongly disputed the allegations.

"Sadly, this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team," Carl Woog, vice president of communications at WhatsApp, told AFP in a statement.

"Security is an adversarial space, and we pride ourselves on building on our strong record of protecting people's privacy," Woog added.

The company said Baig left due to poor performance, with multiple senior engineers independently validating that his work was below expectations.

Meta also noted that the Department of Labor's Occupational Safety and Health Administration dismissed Baig's initial complaint, finding that Meta had not retaliated against him.

The company further insisted that Baig's self-description as head of security was an exaggeration of his role at WhatsApp, and that he was a lower-level engineer.

Prior to joining Meta, Baig worked in cybersecurity roles at PayPal, Capital One, and other major financial institutions. 

The case adds to ongoing scrutiny of Meta's data protection practices across its platforms -- Facebook, Instagram, and WhatsApp -- which serve billions of users globally.

Meta agreed to the 2020 government settlement following the Cambridge Analytica scandal, which involved improper harvesting of data from 50 million Facebook users. The consent order remains in effect until 2040.

In his whistleblower complaint, Baig is requesting reinstatement, back pay, and compensatory damages, along with potential regulatory enforcement action against the company.

In a separate case targeting Meta first reported by the Washington Post on Monday, current and former employees allege the company suppressed research on child safety risks in its virtual reality products.

Meta denies these claims, stating it prioritizes youth safety and complies with privacy laws.