The former head of security for WhatsApp, Attaullah Baig, has filed a federal lawsuit against Meta, alleging that the company concealed extensive security flaws, ignored regulatory risks, and launched a campaign of retaliation when he tried to alert leadership.

The complaint, filed in the Northern District of California, paints a picture of a company that, in Baig’s words, “treats its users like they are just numbers on some dashboard.”

Baig’s lawsuit includes detailed allegations that Meta violated its 2020 FTC Privacy Order and federal securities laws.

We obtained a copy of the complaint for you here.

In a 2022 internal document shared with senior WhatsApp leaders, Baig warned: “We have a fiduciary responsibility to protect our users and their data. The penalties can be severe both in terms of brand damage and fines.”

He outlined six critical failures, including unrestricted employee access to sensitive data, the absence of breach detection capabilities, and the daily compromise of over 100,000 user accounts.

According to the filing, Baig joined WhatsApp in 2021 and quickly uncovered what he believed were significant violations of legal and regulatory obligations.

A “Red Team Exercise” revealed that about 1,500 engineers could access and exfiltrate user data without any tracking or audit trail.

In one of his early meetings with leadership, he told then-head of WhatsApp Will Cathcart that the team had only ten engineers working on security, despite the scale of the platform.

He later expanded his concerns in a September 2022 pre-read document for Meta executives. Among the listed issues: “Failure to inventory user data,” “Unrestricted data access,” and “Massive daily account compromises.” The filing alleges these failures violated both the FTC settlement and international data protection laws, such as the GDPR.

Baig repeatedly raised alarms with executives, including CEO Mark Zuckerberg, General Counsel Jennifer Newstead, and other top decision-makers.

On January 2, 2024, he sent Zuckerberg a letter detailing Meta’s alleged violations and claimed that Meta’s central security team had “falsified security reports to cover up decisions not to remediate data exfiltration risks.”

The suit claims that despite his efforts to secure the platform, Baig was pushed out through a campaign of micromanagement, bad-faith performance reviews, and exclusion from key decisions.

His former supervisors allegedly warned him not to mention regulatory compliance issues in writing.

In one confrontation, he was allegedly told: “Don’t be the guy that people hate to work with,” after raising concerns about weak cybersecurity controls.

Baig’s attempts to roll out security tools were also blocked. According to the filing, he and his team developed features to help users recover hacked accounts, limit impersonation scams, and protect vulnerable users like journalists and activists.

One such system, called Post Compromise Account Recovery, was successfully recovering tens of thousands of hijacked accounts daily.

Meta shut it down. The filing claims “leadership refused to act on the findings, blocked progress on remediation, and refused to provide necessary staffing.”

In November 2024, Baig filed a whistleblower report with the SEC, alleging Meta failed to disclose “material cybersecurity risks.”

He informed Zuckerberg of the filing a few weeks later. The company terminated him in February 2025, citing poor performance.

Baig claims this was the final act in a long-running campaign of retaliation, stating: “This is not a sexual harassment. This is about the company.”

He had previously told leadership that the security issues could lead to regulatory enforcement actions similar to those faced by Twitter after its whistle-blower scandal.

In response to one internal presentation, Meta’s global public policy head reportedly asked whether they could face consequences like “Mudge at Twitter.”

Baig’s disclosures include what he calls Meta’s “false commitment” to European data regulators, citing internal access to sensitive WhatsApp data by as many as 100,000 employees.

He also alleged that leadership actively downplayed privacy threats, manipulated internal metrics, and pressured engineers to minimize the severity of risks in official documents.

His lawsuit seeks reinstatement, damages for lost compensation, and an order requiring Meta to comply with whistle-blower protections under the Sarbanes-Oxley Act.

Meta, for its part, has denied Baig’s claims. A WhatsApp spokesperson previously characterized the allegations as “distorted claims that misrepresent the ongoing hard work of our team.”