Attaullah Baig, who allegedly headed WhatsApp’s security department from 2021 to 2025, has filed a lawsuit against parent company Meta (an organization recognized as extremist and banned in the Russian Federation). Baig claims he was fired for his repeated attempts to address the messaging app’s serious cybersecurity problems.
Baig filed a lawsuit pursuant to the Sarbanes–Oxley Act, in connection with the concealment of security issues that may be related to potential shareholder fraud, as well as likely violations of U.S. Securities and Exchange Commission (SEC) rules concerning internal information control systems.
In a lawsuit, a former WhatsApp employee (who previously held cybersecurity-related positions at PayPal and Capital One) claims that WhatsApp’s management unlawfully engineered his dismissal by distorting his performance review and using it as a pretext to terminate his contract.
The documents state that shortly after joining WhatsApp in 2021, Baig “discovered systemic cybersecurity issues that created serious risks to user data and violated Meta’s legal obligations under the Privacy Order of 2020 and federal securities laws.”
Baig claims that roughly 1,500 WhatsApp engineers had unrestricted access to users’ confidential personal data and could copy and exfiltrate it without detection or any possibility of auditing.
According to reports, on September 8, 2022, Baig raised at a staff meeting the issue of the following violations:
- inability to inventory user data;
- inability to localize and enumerate data stores;
- unrestricted access to user data that was available to 1,500 software engineers;
- lack of access control for user data;
- inability to detect data leaks;
- inability to protect user accounts from takeover (allegedly about 100,000 such cases per day).
In October 2022, Baig allegedly notified ten top WhatsApp executives about the issues, including CEO Will Cathcart and lead engineer Nitin Gupta, warning that the company could face legal consequences.
Baig claims that in 2023 he tried to voice his concerns but faced resistance from managers. After that, in early 2024, he allegedly sent a letter to Meta CEO Mark Zuckerberg and Chief Legal Officer Jennifer Newstead, notifying them of potential violations, the pushback he encountered, and “evidence that the security team falsified reports to cover their decisions and avoid addressing the risks of data theft.”
In February 2025, Baig was fired from the company. Reportedly, this happened a few months after he personally notified the U.S. Securities and Exchange Commission about alleged cybersecurity violations at Meta.
Now Baig is demanding a jury trial and wants Meta to reinstate him, as well as to pay back wages, cover legal expenses, and compensate for emotional distress and pain and suffering.
However, as reported by the media, Meta representatives said that Baig was not actually the “head of security” at WhatsApp; he held the position of software development manager and had several senior executives above him. According to the company, several senior engineers independently determined that his work did not meet the company’s expectations, which served as grounds for his dismissal.
“Unfortunately, this is a familiar scenario where an employee is terminated for poor performance and then makes distorted claims that downplay the hard work of our team,” comments Andy Stone, director of communications at Meta.
In addition, according to documents the company provided to SecurityWeek, the U.S. Department of Labor had already dismissed Baig’s complaint. The Occupational Safety and Health Administration (OSHA) concluded that Meta did not retaliate against the employee who tried to draw attention to security issues. The documents also indicate that the Department of Labor determined Baig’s actions were not protected under the Sarbanes–Oxley Act.