Whistleblower claims 1,500 WhatsApp engineers had free user data access
WhatsApp's former security chief Attaullah Baig has filed a federal lawsuit against Meta, alleging that thousands of engineers had unchecked access to user data. The complaint claims Meta ignored compliance obligations and retaliated against Baig for raising concerns. Meta has denied the allegations, calling them distorted and linked to his poor performance.
New Delhi: Meta, the parent of WhatsApp, is facing a fresh whistleblower lawsuit in the United States, raising serious questions about how the messaging app handles user data. The case has been filed by Attaullah Baig, a former WhatsApp security executive, who alleges that systemic failures at the platform allowed thousands of engineers broad access to sensitive user information.
According to reports, Baig claims he was retaliated against after flagging the security concerns to Meta’s top leadership, including CEO Mark Zuckerberg. His 115-page complaint has been filed in the U.S. District Court for the Northern District of California.
Allegations of unchecked data access
Baig joined WhatsApp in 2021 and says that internal testing revealed around 1,500 engineers had the ability to move or steal user data "without detection or audit trail.” The data allegedly accessible included IP addresses, contact details, and profile photos. He also claims that WhatsApp lacked a proper 24-hour security operations centre, and did not maintain a full inventory of systems storing user data.
The former executive states that these failures may have violated Meta’s obligations under a $5 billion settlement with the U.S. Federal Trade Commission in 2020. He added that the company had ignored proposals to introduce stronger protections against account takeovers, which he estimated affected over 100,000 users every day.
Meta’s response
Meta has strongly denied the claims. Carl Woog, vice president of communications at WhatsApp, said in a statement that Baig’s lawsuit followed "a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims.”
Woog added, "Security is an adversarial space, and we pride ourselves on building on our strong record of protecting people’s privacy.” Meta further insisted that Baig exaggerated his position at WhatsApp, stating he was not the head of security but a lower-level engineer.
- 2021: Baig raises his initial concerns about cybersecurity gaps.
- November 2024: He informs the U.S. Securities and Exchange Commission (SEC) about alleged deficiencies.
- December 2024: He writes directly to Zuckerberg, noting that he had filed an SEC complaint.
- January 2025: He files a retaliation complaint with the U.S. Department of Labor’s Occupational Safety and Health Administration, which was later dismissed.
- February 2025: Meta terminates Baig’s employment, citing "poor performance” during company-wide layoffs.
Baig’s lawsuit claims the timing of his dismissal shows a "clear causal connection” to his protected disclosures.
Broader implications
This case adds to a string of controversies around Meta’s handling of privacy and security across its family of apps. The company is still under a long-term consent order with the FTC, in place until 2040, following the Cambridge Analytica scandal that exposed data from millions of Facebook users.
Baig, who previously worked with PayPal and Capital One, is seeking reinstatement, back pay, compensatory damages, and regulatory action. His lawyers argue that he faced "systemic retaliation” for advocating compliance with U.S. cybersecurity laws.
Meanwhile, Meta continues to face parallel accusations on child safety issues in its virtual reality division, which it has also denied.
For WhatsApp’s over 2 billion users worldwide, including more than 500 million in India, the lawsuit raises fresh concerns over whether user privacy is being adequately protected at one of the most widely used messaging apps.