Ex-WhatsApp cybersecurity head says Meta endangered billions of users

Summary

WhatsApp’s former head of cybersecurity filed a lawsuit on Monday alleging that parent company Meta disregarded internal flaws in the app’s digital defenses and exposed billions of its users. He says the company systematically violated cybersecurity regulations and retaliated against him for reporting the failures.Attaullah Baig, who served as head of security for WhatsApp from 2021 to 2025, claims that approximately 1,500 engineers had unrestricted access to user data without proper oversight, potentially violating a US government order that imposed a $5bn penalty on the company in 2020.He also claimed the company failed to remedy the hacking and takeover of more than 100,000 accounts each day, ignoring his pleas and proposed fixes and choosing instead to prioritize user growth. The lawsuit, filed in US federal court in San Francisco, alleges Facebook-owner Meta failed to implement basic cybersecurity measures, including adequate data handling and breach detection capabilities.According to the 115-page complaint, Baig discovered through internal security testing that WhatsApp engineers could “move or steal user data” including contact information, IP addresses and profile photos “without detection or audit trail”.The filing claims Baig repeatedly raised concerns with senior executives, including the WhatsApp head, Will Cathcart, and Meta CEO, Mark Zuckerberg. Meta acquired Whatsapp for $19bn in 2014.Meta representatives did not immediately respond to requests for comment. A Meta spokesperson, Andy Stone, wrote on Threads, the company’s text-based social network: “Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team.”Baig alleges he faced escalating retaliation after his initial reports in 2021, including negative performance reviews, verbal warnings and ultimately termination in February 2025 for apparent “poor performance”.Before...