Ex-Meta employee files whistleblower suit for alleged security flaws at WhatsApp

A former employee of Meta has filed a lawsuit against the tech giant, claiming that its popular messaging service, WhatsApp, is riddled with significant cybersecurity vulnerabilities that could jeopardize user privacy. Attaullah Baig, who was the head of security at WhatsApp, alleges that after bringing these issues to the attention of top executives, including CEO Mark Zuckerberg, he faced retaliation from the company. His lawsuit, lodged in the U.S. District Court for the Northern District of California, asserts that he uncovered security flaws upon joining WhatsApp in 2021, which he argues breach federal securities regulations and Meta's commitments stemming from a 2020 privacy settlement with the Federal Trade Commission. Baig claims that during a security evaluation with Meta's central security team, he identified that approximately 1,500 WhatsApp engineers had unrestricted access to sensitive user data, allowing potential unauthorized handling of this information without any monitoring or audit trail. In response to these allegations, a Meta spokesperson refuted Baig's claims and characterized his position and contributions at the company as minimal. The spokesperson further described the lawsuit as typical of a former employee who, after being let go for inadequate performance, resorts to making exaggerated assertions to distort the company's efforts. The lawsuit does not allege that user data was actually compromised, but Baig maintains he alerted his superiors multiple times about the dangers posed by the identified cybersecurity gaps. Among the issues cited are WhatsApp's lack of a dedicated 24-hour security operations center, inadequate monitoring systems for user data access, and the absence of a complete inventory of systems containing user data, which hinders effective protection and compliance measures. Baig's legal team argues that he faced criticism from higher-ups shortly after his initial disclosures about cybersecurity concerns, with negative performance evaluations surfacing just days later. In November, he reported the alleged deficiencies to the Securities and Exchange Commission (SEC), and a month after that, he informed Zuckerberg about the SEC complaint and requested urgent action to rectify the compliance issues and address the retaliation he faced. In January, Baig lodged a complaint with the Occupational Safety and Health Administration, detailing the retaliation he claims followed his security disclosures. The lawsuit indicates that Baig was terminated in February, shortly after the company announced layoffs affecting 5% of its workforce, with Meta attributing his dismissal to poor performance. Baig's legal representatives argue that the timing of his firing clearly links it to his disclosures to external regulators, suggesting a pattern of retaliation over the course of two years for advocating compliance with federal laws and regulations. On Monday, Baig's attorneys announced that he has formally removed his SEC-related claims to federal court and affirmed that he has pursued all necessary administrative remedies before initiating this legal action.