Former WhatsApp security head, Attaullah Baig, sued Meta in San Francisco, alleging it permitted 1,500 engineers’ unrestricted access to sensitive user data, ignoring Baig’s warnings, and retaliated against him after reporting vulnerabilities linked to WhatsApp using data.
The lawsuit exposed how Meta’s practices left over 100,000 accounts daily vulnerable to hacking, as well as the company’s claimed ethical constraints on its user data protection record, following its historic $5 billion penalty over the Cambridge Analytica scandal in 2020.
Baig, who led WhatsApp’s security team from 2021 to 2025, asserts his proposed fixes to the Meta user data, to be eventually dismissed by executives, including CEO, Mark Zuckerberg.
In its defense, Meta responded by blandly denying the allegations, saying Baig was fired for “poor performance.” In his response, Baig rejects the claim, saying it is nothing but a mere pretextual retaliation for exposing systemic GDPR violations and security failures exposing billions of users worldwide.
WhatsApp Using Data Without Limitations
According to Baig’s 115-page complaint, around 1,500 engineers at WhatsApp had ‘unrestricted access’ to sensitive information, including contacts, IP addresses, and profile photos.
Internal tests also showed how engineers could “move or steal user data,” including contact information, IP addresses and profile photos “without detection or audit trail,” according to WhatsApp’s former head of security.
Baig alleged that the WhatsApp data sharing ignored repeated warnings and refused to implement his proposed fixes.
Instead, executives prioritized user growth, even if it meant daily exposure of 100,000 accounts to hacking and takeovers. At the time, Baig’s reports were escalated to WhatsApp head, Will Cathcart and Meta CEO Mark Zuckerberg, but no meaningful action was taken, falling on deaf ears.
In 2014 Meta (Facebook at the time) acquired WhatsApp for $19 billion. Now, Meta Platforms’ largest acquisition to date features three billion users worldwide.
A reaction to the Meta class action lawsuit about WhatsApp was provided by the messaging platform’s Vice President of Communications, Carl Woog, who dismissed Baig’s warnings, saying, “sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team.”
Baig alleges that he was retaliated against after reporting the WhatsApp GDPR violation weaknesses, beginning with negative reviews and escalating to warnings, including his eventual firing in February 2025 for “poor performance.”
Meta stated that Baig was resigning for independently confirmed poor performance, adding the Department of Labor’s Occupational Safety and Health Administration had already denied his initial complaint of retaliation.
It is worth noting that Baig fulfilled cybersecurity roles for PayPal, Capital One, and various banks before joining WhatsApp in 2021, adding credibility to his claims of systemic failures within Meta.
Privacy Concerns with WhatsApp
The action lawsuit highlights WhatsApp data use as the public loses faith in Big Tech’s handling of their personal information. Despite Meta’s 2020 regulatory settlement, Baig exposes the degree of compliance gaps.
With billions relying on the messaging platforms, the case of WhatsApp using data for personal gains exposed Meta’s utter disregard to it fundamental duty to protect privacy.
The stakes for guarding online data protection have never been higher. Baig and former FTC WhatsApp investigation highlight a high stakes tension between innovation, growth, and accountability, a tension that will increasingly shape the future of messaging apps and public trust in technology.
WhatsApp privacy concerns became more validated by Baig’s lawsuit, despite being blatantly dismissed by Vice President of communications, Carl Woog, undermining its value as nothing but “a familiar playbook where a former employee is fired for poor performance and then goes public with distorted claims that mischaracterize the hard work of our team.”
Baig’s lawsuit adds another chapter to WhatsApp using data which leads to a struggle with privacy and accountability. Whether the courts side with him or not, the case underscores a central truth, in an time where billions depend on encrypted messaging, public trust in WhatsApp and its parent company will hinge not on corporate denials, but on transparent safeguards that protect users from the very vulnerabilities insiders are warning about.
Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity sections to stay informed and up-to-date with our daily articles.