A bombshell whistleblower lawsuit filed Monday reveals that approximately 1,500 WhatsApp engineers allegedly had unrestricted access to user data without detection systems, according to the messaging app's former head of security. Attaullah Baig claims Meta retaliated against him after he flagged these "systemic cybersecurity failures" directly to CEO Mark Zuckerberg.
The lawsuit, filed in U.S. District Court for the Northern District of California, exposes what could be Meta's most serious privacy vulnerability since the Cambridge Analytica scandal. Attaullah Baig, who served as WhatsApp's head of security from 2021 until his termination in February, alleges that during a routine security audit with Meta's central security team, he "discovered that approximately 1,500 WhatsApp engineers had unrestricted access to user data, including sensitive personal information" with the ability to "move or steal such data without detection or audit trail."
The timing couldn't be worse for Meta, which has spent years rebuilding trust after previous privacy scandals. According to court documents obtained by CNBC, Baig's findings allegedly violated the company's legal obligations under a 2020 privacy settlement with the Federal Trade Commission—a deal that required enhanced data protection measures.
Meta pushed back hard against the allegations. "Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team," a company spokesperson told CNBC. The company emphasized that "Security is an adversarial space, and we pride ourselves in building on our strong record of protecting people's privacy."
But Baig's legal team paints a different picture. The lawsuit details a pattern of alleged retaliation that began within three days of his initial cybersecurity disclosure, when he started receiving "negative performance feedback" from superiors. The security flaws extended beyond data access issues, according to the complaint, including WhatsApp's failure to maintain a 24-hour security operations center appropriate for its scale and lacking "a comprehensive inventory of systems storing user data, preventing proper protection and regulatory disclosure."
The escalation timeline reveals the mounting tension inside Meta. After repeatedly flagging security issues internally, Baig took his concerns to federal regulators in November, notifying the SEC of alleged "cybersecurity deficiencies and failure to inform investors about material cybersecurity risks." A month later, he sent a second letter directly, informing the CEO that he "had filed the SEC complaint" and was "requesting immediate action to address both the underlying compliance failures and the unlawful retaliation."
