Ex-Meta Whistleblower Alleges WhatsApp Security Flaws in Lawsuit.

A former Meta employee has launched a lawsuit against the social media giant, alleging critical security vulnerabilities within its WhatsApp messaging platform. Attaullah Baig, WhatsApp’s former head of security, claims he faced retaliation after alerting Meta leadership, including CEO Mark Zuckerberg, to these significant security flaws that could compromise user data.

The lawsuit, filed in the U.S. District Court for the Northern District of California, alleges that Baig, upon joining WhatsApp in 2021, discovered security deficiencies that potentially violated federal securities laws and Meta’s legal obligations stemming from a 2020 privacy settlement with the Federal Trade Commission. The core of Baig’s claim centers around what he describes as systemic issues within WhatsApp’s data access controls.

According to the suit, during an internal test conducted with Meta’s central security team, Baig discovered that approximately 1,500 WhatsApp engineers had wide-ranging, unrestricted access to user data, including sensitive personal information. He further claims that these employees could potentially move or extract data without detection or leaving an audit trail, raising serious concerns about data security and compliance.

Meta has vehemently denied these allegations. A company spokesperson issued a statement disputing Baig’s claims and downplaying his former role and seniority within the organization. Meta argues that Baig’s claims are a misrepresentation of the company’s ongoing efforts to protect user privacy and that he was dismissed for performance-related issues.

“Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team,” the spokesperson stated. “Security is an adversarial space, and we pride ourselves in building on our strong record of protecting people’s privacy.”

Baig is represented by Psst.org and the law firm Schonbrun, Seplow, Harris, Hoffman and Zeldes.

While the lawsuit doesn’t directly assert that user data was compromised, it maintains that Baig repeatedly warned his superiors about the potential regulatory and compliance risks posed by these alleged cybersecurity failures. Some of the specific security flaws highlighted include WhatsApp’s purported failure to maintain a 24-hour security operations center commensurate with its substantial size and user base, inadequate systems for monitoring user data access, and a lack of a comprehensive inventory of systems storing user data. This lack of inventory, Baig alleges, hinders proper data protection measures and regulatory disclosure.

Baig’s legal team alleges that his concerns were met with criticism of his work, and that within three days of his initial cybersecurity disclosure, he began receiving negative performance feedback. This timing, they argue, suggests a retaliatory motive.

The lawsuit further states that in November, Baig notified the SEC of the alleged cybersecurity deficiencies and the company’s purported failure to inform investors about material cybersecurity risks. The SEC will likely investigate if Meta adequately disclosed these risks to its shareholders, a critical aspect of publicly traded companies’ transparency obligations.

In December, Baig sent a second letter to Zuckerberg, informing the CEO that he had filed the SEC complaint and was requesting immediate action to address both the underlying compliance failures and the alleged unlawful retaliation. This direct appeal to the highest level of management underscores the severity of the issues Baig believed he had uncovered.

Subsequently, in January, Baig filed a complaint with the Occupational Safety and Health Administration (OSHA), documenting what he describes as the systemic retaliation he faced after making the security disclosures, as per the lawsuit.

The complaint states that in February, Meta terminated Baig’s employment, citing poor performance as part of a company-wide layoff impacting 5% of staff. The timing and circumstances of the dismissal, occurring shortly after the regulatory filings, form a central argument in Baig’s claim of retaliation.

“The timing and circumstances of Mr. Baig’s termination establish clear causal connection to his protected activity, occurring in close temporal proximity to his external regulatory filings and representing the culmination of over two years of systemic retaliation for his cybersecurity disclosures and advocacy for compliance with federal law and regulatory orders,” the suit asserts.

Baig’s lawyers stated that he submitted a notice to remove his SEC-related claims to federal court on Monday, indicating that he has exhausted all administrative remedies prior to initiating this legal action. The case raises critical questions about data security practices at one of the world’s most popular messaging platforms and the potential consequences for user privacy. The outcome could set a precedent for how tech companies handle internal security concerns and whistleblower protections.