Former WhatsApp employee Attaullah Baig has filed a lawsuit against Meta and several of the company’s top executives, accusing them of failing to address critical cybersecurity failures and retaliating against him when he tried to get them fixed.
According to Baig’s complaint, he joined Meta-owned WhatsApp in 2021, and allegedly served as head of security until he was terminated in February 2025 for poor performance. Prior to WhatsApp, he held cybersecurity-related roles at PayPal and Capital One.
However, Meta told SecurityWeek that Baig was not actually a ‘security chief’ as he claims, and instead served as a software engineering manager.
Baig has filed a whistleblower lawsuit under the Sarbanes-Oxley Act (SOX). Baig claims the social media giant actually terminated him over his repeated attempts to get the company to resolve serious cybersecurity issues.
Baig claims he discovered that hundreds of engineers had unrestricted access to WhatsApp user data without a valid reason. He also alleges that the company failed to address a significant volume of account takeovers.
Meta is also accused of violating a 2020 FTC privacy order requiring it to track and monitor user data access, and of failing to disclose the issues to the SEC, which could constitute securities fraud.
The ex-employee claims he made numerous attempts to get the attention of Meta executives, including CEO Mark Zuckerberg, pressuring them to get the issues addressed, but instead of doing so they started retaliating against him, including through negative performance reviews, micromanagement, and the cancellation of security features his team had developed.
Baig said he was ultimately terminated a few months after he personally reported Meta’s alleged cybersecurity deficiencies to the SEC.
The lawsuit names Zuckerberg. It also names several other executives, including VP and Head of WhatsApp Will Cathcart, Head of Engineering for WhatsApp Nitin Gupta, and Pinaki Mukerji and Mark Tsimelzon, former and current directors of engineering at WhatsApp.
Baig is demanding a jury trial and wants Meta to reinstate him, award backpay, and compensate him for legal fees, emotional distress, and mental anguish.
Andy Stone, communications director at Meta, responded to the lawsuit with a message posted on X, saying, “Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team.”
Meta clarified for SecurityWeek that Baig was a level 1 software engineering manager with multiple directors above him. The social media giant claims multiple senior engineers independently determined that his work was beneath the company’s expectations prior to his termination.
In addition, documents shared by Meta with SecurityWeek appear to show that the Department of Labor dismissed a complaint filed by Baig. Specifically, the Occupational Safety and Health Administration (OSHA) found that Meta had not retaliated against him for raising security concerns. The documents also seem to show that the Department of Labor found that Baig’s alleged protected activity did not qualify as reasonable under SOX.
* Headline updated to reflect that Meta says Baig was not a ‘security chief’ as he claims. Article updated throughout to reflect that and to add additional information from Meta.
Related: Settlement Reached in Investors’ Lawsuit Against Meta CEO Mark Zuckerberg and Other Company Leaders
Related: WhatsApp Takes Down 6.8 Million Accounts Linked to Criminal Scam Centers, Meta Says
Related: Apple Complains Meta Requests Risk Privacy in Spat Over EU Efforts to Widen Access to iPhone Tech
Related: Meta Hit With $102 Million Privacy Fine From European Union Over 2019 Password Security Lapse
