Attaullah Baig, the former head of security at WhatsApp, has filed a federal lawsuit against Meta, accusing the company of widespread cybersecurity failures and retaliating against him for raising concerns. Baig served in the role from 2021 until his termination in February 2025.

Filed in San Francisco federal court on Monday, the 115-page complaint alleges that around 1,500 WhatsApp engineers had broad, unsupervised access to user data, including contact lists, IP addresses, and profile photos—potentially violating a $5 billion privacy settlement Meta reached with the U.S. government in 2020 following the Cambridge Analytica scandal.

According to Baig, Meta failed to implement basic security protocols such as breach detection and proper data handling. He claims internal tests revealed that engineers could "move or steal user data" without leaving an audit trail. The lawsuit states Baig raised these concerns directly with senior leadership, including WhatsApp chief Will Cathcart and Meta CEO Mark Zuckerberg.

Baig further alleges that after reporting these issues in 2021, he was subjected to retaliation, including negative performance reviews, verbal warnings, and ultimately dismissal for "poor performance." He also claims that Meta intentionally blocked security upgrades designed to curb account takeovers affecting roughly 100,000 WhatsApp users daily, instead prioritizing user growth.

Before joining Meta, Baig held cybersecurity positions at companies including PayPal and Capital One. He also submitted complaints to U.S. regulators, including the Securities and Exchange Commission, prior to filing the lawsuit.

Baig is seeking reinstatement, back pay, and compensatory damages, along with potential regulatory action against Meta. The company has not yet commented on the allegations.

The lawsuit adds to ongoing scrutiny over Meta’s data protection practices across its platforms—Facebook, Instagram, and WhatsApp—which serve billions of users globally. The 2020 government consent order remains in effect through 2040.

Separately, a report by The Washington Post revealed that current and former Meta employees have accused the company of suppressing internal research into child safety concerns related to its virtual reality products. Meta denies those claims, asserting its commitment to youth safety and regulatory compliance.