WhatsApp's former head of security, Attaullah Baig, has filed a lawsuit against its parent company, Meta, alleging that the social media megalith retaliated against him for reporting security failings that violated legal commitments.

Thecomplaint [PDF], filed in Northern California District Court, says Baig reported what he believed to be several violations of the US Sarbanes-Oxley Act involving the failure to disclose security issues that represent potential acts of shareholder fraud, plus potential violations of US Securities and Exchange Commission rules about internal information controls.

As a result of his reports, Baig claims leaders at WhatsApp unlawfully retaliated against him through inaccurate performance reviews that were filed as a pretext to terminate his employment.

Echoing thewords of Meta comms boss Andy Stone, WhatsApp VP of communications Carl Woog toldThe Register in an emailed statement: "Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team. Security is an adversarial space and we pride ourselves in building on our strong record of protecting people’s privacy."

That record includesyears of security and privacy criticism, a€225 million fine (~$265 million) from the Irish Data Protection Commission (DPC) in 2021, a subsequent€5.5 million fine (~$6.47 million) by the DPC in 2023, and a2024 FTC report that found the privacy practices of all major social media companies lacking. The biz recently patcheda zero-day vulnerability in WhatsApp clients for iOS and macOS.

WhatsApp, acquired by Facebook in 2014 before the social network's reinvention as Meta, operates the eponymous messaging app used by three billion people globally. As a subsidiary, it's subject to the obligations imposed on Meta in the2020 privacy order that concluded the US Federal Trade Commission's 2018 investigation into the Cambridge Analytica privacy breach. WhatsApp currently awaits a decision in the FTC'santitrust case against Meta, following the conclusion of the trial in May, 2025.

• It's AI all the way down as Google's AI cites web pages written by AI
• The US government has no idea how many cybersecurity pros it employs
• OpenAI reorg at risk as Attorneys General push AI safety
• Who watches the watchmen? Surveillanceware firms make bank, avoid oversight

Shortly after joining WhatsApp in 2021, Baig "discovered systemic cybersecurity failures that posed serious risks to user data and violated Meta’s legal obligations under the 2020 Privacy Order and federal securities laws," the complaint says.

Through adversarial security testing, Baig allegedly found that about 1,500 WhatsApp engineers had unrestricted access to the sensitive personal information of users and could copy or steal said data without detection or audit trail. Meta previously promised to safeguard personal information under the terms of the FTC privacy order.

The complaint outlines the six issues Baig is said to have raised in a September 8, 2022, meeting that represented potential violations of company commitments. These include:

• Failure to inventory user data;
• Failure to locate and enumerate data storage;
• Unrestricted access to user data for 1,500 software engineers;
• Lack of access monitoring for user data;
• Inability to detect data breaches;
• Failure to protect against account takeovers, said to be 100,000 per day.

In October 2022, Baig allegedly told ten WhatsApp senior executives, including CEO Will Cathcart and head of engineering Nitin Gupta, that WhatsApp risked regulatory consequences similar to those faced by Twitter when former security chief Peiter "Mudge" Zatkofiled a whistleblower complaint.

Baig claims he tried to escalate his concerns amid pushback from managers in 2023.

On January 2, 2024, he claims to have sent a letter to Meta CEO Mark Zuckerberg and General Counsel Jennifer Newstead advising them of the potential FTC and SEC violations, the retaliation against him, and "evidence that the central security team had falsified security reports to cover up decisions not to remediate data exfiltration risks."

Later that month, Baig says he advised Gupta that Meta had made false representations to the Irish DPC about WhatsApp limiting Meta employees from accessing user data. He went on to file a complaint with the SEC in November 2024 about supposed security shortcomings at WhatsApp. And a month later, he is said to have informed Zuckerberg about the SEC whistleblowing.

WhatsApp sent Baig a notice of termination in February 2025.

Baig's attorneys did not respond to a request for comment. ®

More about

• Law
• Meta
• Security