In a bombshell lawsuit that could reshape the discourse on digital privacy, Attaullah Baig, the former head of security for WhatsApp, has accused Meta of systematically ignoring critical vulnerabilities that expose billions of users to data theft, account hijacking, and privacy erosion. Filed on September 8, 2025, in the U.S. District Court for the Northern District of California, the 115-page complaint paints a picture of a company more concerned with explosive user growth than safeguarding the very data it claims to protect. Baig’s allegations strike at the heart of WhatsApp’s end-to-end encryption promise, revealing internal flaws that undermine user trust and potentially violate a landmark $5 billion settlement with the Federal Trade Commission (FTC). This isn’t just a whistleblower’s grievance—it’s a wake-up call for regulators, users, and the tech industry at large.
Who Is Attaullah Baig, and What Was His Role at WhatsApp?
Attaullah Baig is no stranger to high-stakes cybersecurity. Before joining Meta in January 2021, he held senior roles at financial giants like PayPal and Capital One, where he honed his expertise in protecting sensitive data against sophisticated threats. At WhatsApp, Baig was appointed as the head of security, overseeing the app’s defenses for its staggering 3 billion monthly active users worldwide. Officially titled a “software engineering manager” at Meta’s E6 level (what the company describes as a mid-level engineer), Baig reported to directors who ultimately answered to WhatsApp’s VP of Engineering, Will Cathcart. His mandate was clear: fortify WhatsApp against evolving cyber risks while complying with global privacy standards.
Yet, according to Baig, his tenure quickly devolved into a nightmare of ignored warnings and corporate stonewalling. WhatsApp, acquired by Facebook (now Meta) in 2014 for $19 billion, has long touted its end-to-end encryption as a bulwark against surveillance. But Baig’s suit argues that the real threats weren’t external hackers—they were internal lapses that made user data an open book for Meta’s own employees.
The Lawsuit: The Allegations of Privacy Catastrophe
At the core of Baig’s complaint are allegations of “systemic cybersecurity failures” that endangered user privacy on an unprecedented scale. He claims Meta flouted the 2019 FTC consent decree—stemming from the Cambridge Analytica scandal, where data from 87 million Facebook users was improperly harvested—which imposed a $5 billion fine and mandated a comprehensive privacy program, including data security audits and access controls, enforceable until 2040.
Key accusations include:
- Unrestricted Internal Access to User Data: Baig alleges that roughly 1,500 WhatsApp engineers had unfettered access to sensitive user information, such as contact lists, IP addresses, profile photos, location data, and group memberships. Through internal “red-teaming” exercises—simulated attacks by ethical hackers—Baig discovered that employees could “move or steal” this data without detection or audit trails, a blatant violation of FTC requirements for data handling and breach monitoring. This isn’t theoretical; it’s a daily reality where Meta’s own staff could snoop or exfiltrate data with impunity.
- Rampant Account Takeovers and Hacking: WhatsApp reportedly suffers from over 100,000 account hacks per day as of 2022, escalating to 400,000 daily lockouts by 2024 due to unauthorized takeovers. Baig blames inadequate safeguards, like the ease of account recovery without multi-factor authentication or additional verification. Real-world harms cited include journalists targeted for surveillance, impersonation scams, and data scraping operations that harvest 400 million user profiles daily for fraudulent schemes.
- Rejected Security Fixes for Growth’s Sake: Baig proposed practical solutions, such as limiting profile picture visibility to contacts or group members (similar to Signal or iMessage), requiring extra login approvals for account recovery, and preventing unauthorized downloads of user media. Meta allegedly dismissed these, prioritizing metrics like user acquisition and engagement over security. In one stark example, Baig’s team observed engineers bypassing basic protections, likening Meta’s culture to a “cult” where dissent is quashed in favor of unchecked expansion.
- Broader Data Management Failures: The suit claims Meta lacks a proper inventory of WhatsApp user data, failing to track where it’s stored, who accesses it, or how it’s used. This contravenes not just the FTC order but also laws like California’s Consumer Privacy Act and the EU’s GDPR. Baig even notified Meta CEO Mark Zuckerberg and General Counsel Jennifer Newstead in a 2024 letter, warning of potential SEC violations for not disclosing these risks to investors.
These lapses, Baig argues, aren’t isolated bugs but symptoms of a company that views privacy as a checkbox rather than a cornerstone.
Meta’s Checkered History with Data Privacy: A Legacy of Scandals and Fines
Baig’s allegations do not emerge in a vacuum; they are part of a long-standing pattern of privacy missteps at Meta, formerly known as Facebook. Since its early days, the company has faced repeated scrutiny for its handling of user data, resulting in numerous scandals and hefty fines from regulators worldwide.
From a recent $8 billion settlement to today. The troubles began as early as 2011 when Facebook settled with the FTC over charges that it deceived users about privacy protections, allowing third-party apps to access data without proper consent. This set the stage for more severe incidents, most notably the 2018 Cambridge Analytica scandal, where data from up to 87 million users was harvested without permission for political targeting. This led to a historic $5 billion penalty from the FTC in 2019—the largest ever for privacy violations—and a 20-year consent decree mandating stricter privacy practices. In late 2022, Meta agreed to a $725 million class-action settlement related to the same scandal.
European regulators have been particularly aggressive. In 2022, Meta was fined approximately $400 million by the Irish Data Protection Commission for violating EU data privacy laws concerning children’s data on Instagram. This was followed in 2023 by another €390 million ($414 million) fine for breaching the General Data Protection Regulation (GDPR) on both Facebook and Instagram platforms. The most substantial blow came in May 2023, when Meta received a record €1.2 billion ($1.3 billion) fine for illegally transferring European users’ data to the United States, in violation of GDPR rules on data sovereignty.
These incidents are part of a broader timeline of data breaches and privacy lapses, including multiple exposures of user data through vulnerabilities and third-party apps. Collectively, Meta has paid billions in fines, yet critics argue that these penalties—often a fraction of the company’s revenue—have done little to deter repeated offenses, highlighting a corporate culture that prioritizes growth and data monetization over user privacy.
Evidence from the Inside: Red Flags and Internal Battles
Baig’s claims are bolstered by documented internal efforts. Shortly after joining, he conducted red-teaming that exposed the engineer access issues, prompting a September 2021 memo calling for data classification systems to align with FTC mandates. By October 2022, he presented a dossier of “critical cybersecurity problems” to Cathcart and other executives, highlighting FTC and securities law breaches.
His team logged daily incidents: account compromises enabling stalking, financial fraud via scraped data, and even state-sponsored targeting of activists. Despite these, Baig says his fixes were diluted or ignored, with Meta’s central security team allegedly falsifying reports to downplay exfiltration risks. Before his firing, Baig escalated to federal watchdogs—the FTC for privacy violations and the SEC for investor nondisclosure—underscoring the gravity of his findings.
Retaliation: From Whistleblower to Outcast
Baig’s suit doubles as a retaliation claim under the Sarbanes-Oxley Act, alleging Meta punished him for speaking out. Starting in 2021, he received negative performance feedback, verbal warnings, and compensation denials—escalating to his February 2025 termination for “poor performance.” He filed an OSHA complaint in April 2025, which Meta says was dismissed for lacking merit. The suit seeks reinstatement, back pay, damages, and punitive measures, arguing Meta breached the FTC settlement by stifling internal dissent.
This echoes past Meta whistleblowers, like Frances Haugen in 2021, who exposed harms to teen mental health on Instagram. Baig’s case, however, zeroes in on privacy, a realm where Meta’s track record is already tarnished.
Meta’s Defense: Dismissing the “Distorted” Narrative
Meta has fired back forcefully. Spokesman Carl Woog called the suit a “familiar playbook” from a “former employee dismissed for poor performance,” whose claims “misrepresent the ongoing hard work of our team.” The company insists Baig’s role was overstated—he was a level 1 engineer, not a top executive—and that multiple senior reviewers deemed his work subpar. Meta highlights its “strong record” in privacy, pointing to WhatsApp’s encryption and ongoing defenses against adversaries. It also notes the OSHA dismissal and claims Baig’s proposals overlapped with existing initiatives or were too vague.
While Meta’s rebuttal underscores its adversarial security posture, it sidesteps specifics, leaving questions about transparency.
Why Data Privacy Software Companies Like Captain Compliance Exist – The Perils of Profit Over Privacy at Meta
This lawsuit isn’t merely corporate drama; it’s a stark reminder of Big Tech’s privacy paradox, amplified by Meta’s extensive history of scandals and fines. WhatsApp’s 3 billion users rely on it for everything from casual chats to activism in repressive regimes, yet Baig’s revelations suggest the app’s vaunted security is a facade riddled with holes. By granting broad internal access and neglecting basic audits, Meta risks not just data breaches but erosion of global trust—especially in regions like India and Brazil, where WhatsApp dominates communication.
Critically, the allegations challenge Meta’s narrative of innovation. Prioritizing growth over fixes isn’t just negligent; it’s reckless, potentially inviting stricter regulations like the EU’s Digital Services Act or renewed FTC probes. Baig’s SEC angle could even trigger shareholder suits if risks were material. In an era of AI-driven threats and geopolitical tensions, companies like Meta must treat privacy as a feature, not a bug—lest they face the backlash of users fleeing to fortified alternatives like Signal.
Moreover, Baig’s “cult-like” culture critique rings true amid Meta’s history of whistleblower silencing. If proven, this could catalyze broader reforms, forcing tech giants to embed whistleblower protections and independent audits. But without accountability, we’ll see more scandals, not solutions—continuing the cycle of fines that, while massive, seem insufficient to change entrenched behaviors.
Attullah Baig’s Lawsuit Against Meta
Attaullah Baig’s suit against Meta is a clarion call: Privacy isn’t optional in the digital age. As the case unfolds, it will test the courts, regulators, and public resolve to hold Meta accountable. For users, the message is clear—scrutinize your tools, demand better, and remember that behind every app is a human choice between safety and scale. The stakes couldn’t be higher.
