Sign in Subscribe

Former WhatsApp Employee: 1,500 Engineers Had Access to Users' Personal Information

Former WhatsApp Employee: 1,500 Engineers Had Access to Users' Personal Information

Attaullah Baig, who claims he headed WhatsApp’s security service from 2021 to 2025, has filed a lawsuit against parent company Meta (an organization recognized as extremist and banned in the Russian Federation). Baig argues he was fired for repeatedly raising concerns about serious cybersecurity risks within the messenger. Meta, however, disputes his account, stating that Baig never led the company’s security service.

Baig filed his lawsuit under the Sarbanes-Oxley Act, alleging Meta concealed security problems that could amount to shareholder fraud. He also cites likely violations of U.S. Securities and Exchange Commission (SEC) rules on internal information controls.

According to the complaint, Baig—who previously held cybersecurity roles at PayPal and Capital One—was dismissed after WhatsApp managers distorted his performance review to justify termination.

Court documents state that shortly after joining WhatsApp in 2021, Baig “discovered systemic cybersecurity flaws that posed serious risks to user data and violated Meta’s obligations under the 2020 Privacy Ordinance and federal securities laws.”

Alleged Security Failures

Baig claims that roughly 1,500 WhatsApp engineers had unrestricted access to confidential user data and could copy or steal it without detection or audit.

On September 8, 2022, he reportedly raised the following concerns at a work meeting:

  • Inability to inventory user data;
  • Inability to locate and list data repositories;
  • Unrestricted access to user data for 1,500 engineers;
  • Lack of access controls for sensitive data;
  • Inability to detect leaks;
  • Failure to prevent account takeovers (allegedly about 100,000 incidents per day).

In October 2022, Baig says he warned ten senior WhatsApp managers—including CEO Will Cathcart and lead engineer Nitin Gupta—about these issues and cautioned that the company could face legal consequences.

Escalations to Leadership

Baig further claims that by 2023 his concerns met strong resistance from management. In early 2024, he allegedly wrote to Meta CEO Mark Zuckerberg and Chief Legal Officer Jennifer Newstead, outlining potential violations, the internal pushback he faced, and what he described as “evidence that the security team falsified reports to cover up their decisions and avoid addressing data theft risks.”

In February 2025, Baig was dismissed from the company—months after he had allegedly notified the SEC about Meta’s security practices. He is now demanding a jury trial, reinstatement, back pay, compensation for legal expenses, and damages for emotional distress.

Meta’s Response

Meta rejects Baig’s version of events. Company representatives stress that he never served as “head of the security service,” but rather as a software development manager reporting to several senior executives. According to Meta, independent reviews by senior engineers concluded that Baig’s work failed to meet expectations, which led to his dismissal.

“Unfortunately, this is a familiar scenario where an employee dismissed for poor performance makes distorted claims that diminish our team’s efforts,” said Andy Stone, Meta’s Director of Communications.

Documents provided by Meta to SecurityWeek show that the U.S. Department of Labor had already dismissed Baig’s complaint. The Occupational Safety and Health Administration (OSHA) concluded Meta did not retaliate against him for raising security concerns. The Department of Labor also determined that Baig’s actions were not protected under the Sarbanes-Oxley Act.

Read next