Because of security flaws: Ex-security chief of WhatsApp sues Meta

Seven months after his dismissal, the former head of security at WhatsApp has filed a lawsuit against Meta, accusing the company of several misconducts allegedly in violation of an agreement with the US Federal Trade Commission (FTC). Attaullah Baig writes in the lawsuit that around 1,500 people at WhatsApp had unrestricted access to the messenger's data. This includes IP addresses, location, and contact data, as well as profile pictures. This violates the agreements with the FTC, as they could all steal the data without leaving any traces. According to his statements, only six people worked on security at WhatsApp in 2021, although the messenger had a total of 3,000 employees.

Baig also lists in the complaint that WhatsApp does not have a comprehensive list of all user data collected, meaning that the messenger is in breach of GDPR regulations, among other things. Furthermore, there is no inventory of the systems that store user data and no monitoring of access to user data. Suspicious access could therefore not be detected. In terms of information security, WhatsApp is also in breach of the agreements with the FTC, as the messenger does not have the capacity to cope with the size and complexity of the service. In addition, around 100,000 WhatsApp accounts are taken over every day, partly because the messenger does not implement sufficient countermeasures.

Fruitless criticism of the situation

Baig explains that he started working at WhatsApp in 2021 and subsequently addressed the security breaches several times and suggested countermeasures. Instead, however, attempts were made to keep him quiet. He was also asked directly to address the agreement with the FTC. Another time, he was advised, “Don't be the guy nobody wants to work with.” Meta's security team literally conspired against him to silence him. After he turned to external bodies with complaints about the procedure and the alleged violations, he was dismissed in February in the form of “ultimate retaliation” for alleged poor performance.

The stipulations with the FTC, to which Baig repeatedly refers, were a consequence of the Cambridge Analytica scandal. The company had collected data from Facebook users and turned it into money. As part of the investigation, Meta was fined a record five billion US dollars. WhatsApp has now denied Baig's accusations to several media outlets and spoke of a familiar spectacle: “An ex-employee is fired for poor performance and then goes public with distorted claims that misrepresent the hard work of our team.” Meta said it was proud of its “solid track record” in protecting privacy.

• The lawsuit is Attaullah Baig v. Meta Platforms, Inc. and is case number 3:25-cv-7604

(mho)