Former WhatsApp Security Chief Says Meta Fired Him After Raising Security Concerns

Former WhatsApp Head of Security Attaullah Baig filed a lawsuit against Meta and a number of top executives in the company, accusing them of retaliating after he raised alarms about severe cybersecurity failures.

On Sept. 8, Baig filed a federal complaint in the Northern District of California saying that Meta and its executives punished him for reporting security failures. He seeks reinstatement, back pay, damages for emotional distress, and attorney’s fees.

Baig joined WhatsApp in September 2021. Within weeks, he ran a Red Team exercise with Meta’s central security group. That test found serious security issues. For example, around 1,500 WhatsApp engineers had unrestricted access to user data, and Baig says those engineers could move or steal the data without detection or audit trails.

Following the findings, he repeatedly warned his supervisors that WhatsApp lacked even the most basic inventory of what user data it collected, where it was, and who could see it. 

Escalation to top executives

Baig took his concerns to senior leadership in August 2022 after two security incidents hit WhatsApp users. He said he explained to Will Cathcart, head of WhatsApp, that only 10 engineers worked on security when other companies with similar products had closer to 200.

Baig prepared a detailed report flagging six critical failures.

Failure to inventory user data

· WhatsApp didn’t have a comprehensive list of what user data it collected, violating disclosure requirements under the CCPA, GDPR, and FTC’s 2020 Privacy Order.

Failure to locate data storage

· The company lacked an inventory of systems where it stored user data, which in turn prevented proper security and regulatory disclosure.

 Unrestricted data access

· Around 1,500 engineers had unfettered access to ‘Covered Information’ (personal data protected by the FTC Privacy Order) without a documented need for it.

Absence of access monitoring

· No systems monitored who accessed user data, making suspicious activity undetectable.

Inability to detect data breaches

· WhatsApp lacked a 24/7 Security Operations Center, which is standard for companies of its size. This meant the company was unable to quickly identify or contain breaches.

Massive daily account compromises

· About 100,000 WhatsApp users were losing accounts daily to takeovers, exposing sensitive information. 

“We have a fiduciary responsibility to protect our users and their data. The penalties can be severe both in terms of brand damage and fines,” Baig warned in that document.

Growing pressure and retaliation

According to the complaint, Meta managers responded with a campaign of retaliation. Supervisors delivered negative performance reviews, micromanaged his work, blocked security features, and accused him of “collaboration issues.”

Baig also claimed that Meta executives rolled back one of his most important projects, the Post Compromise Recovery feature, which helped about 25,000 hacked users recover their accounts on a daily basis.

He also alleges that managers denied him $600,000 in equity, blocked two patent filings, and eventually stripped him of responsibilities.

Baig eventually went outside the company in late 2024 and filed a confidential whistleblower complaint with the SEC on November 27, 2024.

He wrote to CEO Mark Zuckerberg one week later, saying that “I think there is something important missing from ‘Meta, Metamates, Me’ and in my opinion that is what makes or breaks our company.”

Baig also followed up with a complaint to the US Department of Labor’s OSHA on Jan. 17, 2025, invoking whistleblower protections. A month later, Meta fired him for “poor performance.”