Ex-WhatsApp cybersecurity head says Meta endangered billions of users in new suit

Attaullah Baig, fired this year, said he had warned Mark Zuckerberg engineers had unaudited access to user data

WhatsApp’s former head of cybersecurity filed a lawsuit on Monday alleging that parent company Meta disregarded internal flaws in the app’s digital defenses and exposed billions of its users. He says the company systematically violated cybersecurity regulations and retaliated against him for reporting the failures.

Attaullah Baig, who served as head of security for WhatsApp from 2021 to 2025, claims that approximately 1,500 engineers had unrestricted access to user data without proper oversight, potentially violating a US government order that imposed a $5bn penalty on the company in 2020.

He also claimed the company failed to remedy the hacking and takeover of more than 100,000 accounts each day, ignoring his pleas and proposed fixes and choosing instead to prioritize user growth. The lawsuit, filed in US federal court in San Francisco, alleges Facebook-owner Meta failed to implement basic cybersecurity measures, including adequate data handling and breach detection capabilities.

According to the 115-page complaint, Baig discovered through internal security testing that WhatsApp engineers could “move or steal user data” including contact information, IP addresses and profile photos “without detection or audit trail”.