WASHINGTON: The former head of security for WhatsApp filed a lawsuit on Sept 8 accusing Meta of ignoring major security and privacy flaws that put billions of the messaging app’s users at risk, the latest in a string of whistleblower allegations against the social media giant.
In the lawsuit filed in US District Court for the Northern District of California, Attaullah Baig claimed that thousands of WhatsApp and Meta employees could gain access to sensitive user data including profile pictures, location, group memberships and contact lists. Meta, which owns WhatsApp, also failed to adequately address the hacking of more than 100,000 accounts each day and rejected his proposals for security fixes, according to the lawsuit.
Baig tried to warn Meta’s top leaders, including its CEO, Mark Zuckerberg, that users were being harmed by the security weaknesses, according to the lawsuit. In response, his managers retaliated and fired him in February, he claims.
Baig, who is represented by the whistleblower organisation Psst.org and the law firm Schonbrun, Seplow, Harris, Hoffman & Zeldes, argued in the suit that the actions violated a privacy settlement Meta reached with the Federal Trade Commission in 2019, as well as securities laws that require companies to disclose risks to shareholders.
“There are just so many harms that the users face,” Baig said in an interview last week, adding that he had also alerted the FTC and the Securities and Exchange Commission to his concerns. “This is about holding Meta accountable and putting the interests of users first.”
Meta pushed back on his claims. “Sadly, this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team,” said Carl Woog, a spokesperson for WhatsApp. “Security is an adversarial space, and we pride ourselves in building on our strong record of protecting people’s privacy.”
In 2019, the company then known as Facebook agreed to pay a US$5bil fine and strengthen its privacy policies to settle charges that it had mishandled users’ information by allowing a British political consulting firm, Cambridge Analytica, to harvest data without permission.
“Privacy is more central than ever to our vision for the future,” Zuckerberg said in a companywide meeting after the settlement was announced with the FTC. “And we’re going to change the way that we operate across the whole company, from the leadership down and the ground up. We’re going to change how we build products, and if we don’t, then we’re going to be held accountable for it.”
Baig is the latest whistleblower to come forward accusing Meta – which also owns Facebook and Instagram – of wrongdoing related to privacy, child safety and the spread of disinformation on its main platforms.
On Monday, another whistleblower organisation, Whistleblower Aid, said that six former and current Meta employees had disclosed to Congress and federal regulators that the company put children at harm on its virtual reality products. Two of the former employees plan to testify Tuesday in a Senate hearing on child safety. They plan to say that Meta deleted or doctored internal safety research of children as young as 10 years old who were exposed to sexual abuse grooming, sexual harassment and violence on the company’s virtual reality platform, according to Whistleblower Aid.
Meta said those claims were “nonsense” and based on “selectively leaked internal documents that were picked specifically to craft a false narrative.”
In March, Sarah Wynn Williams, a former leader of global policy, published a book, called Careless People, that describes a series of incendiary allegations of sexual harassment and other inappropriate behaviour by senior executives. (Meta won a legal victory blocking the promotion of the book and has denied the allegations it details.)
And in late 2021, Frances Haugen, another former employee, testified before Congress that the company had knowingly created products that harmed teenagers, among other safety concerns, presenting thousands of pages of supporting internal documents to support her claims.
Meta’s vice president for public policy at the time, Nick Clegg, said that her accusations were “misleading.” He said the platform reflected “the good, the bad and ugly of humanity” and that it was trying to “mitigate the bad, reduce it and amplify the good.”
Meta bought WhatsApp in 2014 for US$19bil. Many of its three billion users turn to the app for its perceived security benefits, including encryption, which scrambles messages so they can be deciphered only by the sender and the intended recipient.
In June, WhatsApp unveiled ads in some parts of the app, a move that included optional data sharing that some users said was at odds with its long-standing stated philosophy toward privacy.
Baig joined WhatsApp in January 2021 as head of security. Soon after, he conducted a “red-teaming” exercise, where employees posed as attackers trying to exploit the service, according to the lawsuit. Roughly 1,500 WhatsApp employees had unrestricted access to sensitive user data, which was a violation of the company’s 2020 privacy settlement with the FTC, according to the suit.
As part of the settlement with the FTC, Meta had agreed to stronger privacy practices that included regular independent auditing of its systems, limiting sharing of data and putting in place a clear and comprehensive data security program for its apps.
For more than a year, Baig repeatedly tried to raise the issue to his supervisor, according to the suit, but was told to “focus on less critical application security tasks.”
In October 2022, Baig documented a list of “critical cybersecurity problems” that he considered to be violating the FTC order and securities laws, according to the suit. Meta was failing to address account hacking and wasn’t keeping track of all the data it was collecting on WhatsApp users, the suit claims.
“We have a fiduciary responsibility to protect our users and their data,” Baig wrote in the document he presented to top WhatsApp executives, according to the suit. “The penalties can be severe both in terms of brand damages and fines.”
Meta blocked several security efforts by Baig’s team, according to the lawsuit, including a proposed feature that required additional login approval for account recovery and one that prevented profile pictures from being downloaded from the service.
In an interview, Baig said that every day his team saw “real world, actual harm happening,” such as “account compromises, scraping impersonation, journalists being targeted.”
In December, Baig informed Zuckerberg that he had filed a complaint with the SEC stating that the company had failed to inform investors of cybersecurity risks, according to the suit.
Baig’s managers retaliated with threats of firing and withholding compensation, the suit claims. His performance reviews became more negative, and in February, he was fired.
Baig filed a complaint with the Occupational Safety and Health Administration in April against Meta for retaliation against his reporting of security problems.
Baig said in the interview that working at Meta had been his “dream job” because of the company’s scale and the ability to solve problems that affected billions of users.
But now he thinks that “Meta treats its users like they are just numbers on some dashboard,” he said. – ©2025 The New York Times Company
This article originally appeared in The New York Times.
