Breaking Down the WhatsApp Whistleblower Lawsuit

On Monday, The New York Times was the first to report on a lawsuit filed in the US District Court for the Northern District of California by former WhatsApp head of security Attaullah Baig against WhatsApp’s parent company, Meta, as well as executives including Pinaki Mukerji, former director of engineering at WhatsApp; Mark Tsimelzon, the current senior director of engineering at WhatsApp; Nitin Gupta, head of engineering at WhatsApp; Will Cathcart, head of WhatsApp; and Mark Zuckerberg, founder and CEO of Meta.

The suit alleges Baig observed what he believed were violations of the Sarbanes-Oxley Act, including “failure to disclose information security issues, potentially committing shareholder fraud, violations of SEC rules relating to internal controls, and/or failure to disclose material weaknesses in internal controls related to information security.” After raising various concerns about privacy and security to the company’s leadership, the complaint says, Baig endured two years of escalating retaliation, including downgrades to his performance assessments, micromanagement, and project sabotage.

Baig’s concerns date to September 2021, shortly after he joined the company, when he allegedly discovered through a red-team exercise that “approximately 1,500 WhatsApp engineers had unrestricted access to user data, including sensitive personal information” data considered to be “Covered Information” under a 2020 privacy order issued by the Federal Trade Commission (FTC) following the Cambridge Analytica scandal, and that these engineers “could move or steal such data without detection or audit trail.”

In an October 2022 meeting with WhatsApp senior leaders, the lawsuit says, Baig shared details of “six critical cybersecurity failures that violated the 2020 Privacy Order and potentially constituted securities fraud,” including:

a. Failure to inventory user data: WhatsApp lacked a comprehensive list of all user data elements collected, violating disclosure requirements under California Consumer Privacy Act (CCPA), European Union GDPR, and the 2020 Privacy Order’s mandate for a comprehensive privacy program;

b. Failure to locate data storage: WhatsApp lacked a comprehensive inventory of systems storing user data, preventing proper protection and regulatory disclosure;

c. Unrestricted data access: Approximately 1,500 engineers had unfettered access to Covered Information under the 2020 Privacy Order without business justification, violating FTC requirements for access controls limited to employees with documented business need;

d. Absence of access monitoring: WhatsApp lacked systems to monitor user data access, preventing detection of suspicious activity and violating the 2020 Privacy Order’s requirement for comprehensive privacy program protection;

e. Inability to detect data breaches: WhatsApp lacked 24/7 Security Operations Center capabilities standard for companies of its size and complexity, violating the 2020 Privacy Order’s requirement for information security programs designed to protect Covered Information; and

f. Massive daily account compromises: Approximately 100,000 WhatsApp users daily suffered account takeovers with access to Covered Information, yet WhatsApp failed to implement adequate preventive measures.

The suit says that after raising these issues with his superiors, Baig faced retaliation (a claim, among others, that the company denies, according to the New York Times), and that he continued to escalate his concerns, including in “a detailed letter to Mark Zuckerberg, CEO of Meta, and Jennifer Newstead, General Counsel, documenting: (a) violations of the 2020 Privacy Order; (b) violations of SEC rules and regulations; (c) escalating retaliation against him for raising these concerns; and (d) evidence that the central security team had falsified security reports to cover up decisions not to remediate data exfiltration risks.”

Baig claims he helped build various technical solutions to address WhatsApp security risks, including for hacked accounts, which he believed could number as many as 500,000 per day; impersonation scams; and attacks targeting journalists.

The suit says that, in November 2024, Baig filed a complaint with the SEC “documenting Meta’s cybersecurity deficiencies and failure to inform investors about material cybersecurity risks,” and that in December that year he “sent a second letter to Mr. Zuckerberg documenting continued cybersecurity problems and escalating retaliation, informing the CEO that he had filed the SEC complaint and requesting immediate action to address both the underlying compliance failures and the unlawful retaliation.”

The suit further alleges that Baig also flagged the company’s “false commitment” to the Irish Data Privacy Commissioner on protections it claimed to have in place to prevent employees from accessing user data.

In January 2025 Baig filed a complaint with the Occupational Safety and Health Administration over alleged “systemic retaliation” by the company. Part of the retaliation, the suit claims, included “systemic sabotage” of his efforts to address security risks, including blocking “remediation” efforts aimed at staunching the leak of “400 million user profile photos daily to scrapers” and a “Post Compromise Account Recovery (PCR) solution” aimed at helping tens of thousands of users who were hacked and locked out of their accounts.

On February 10, 2025, Baig learned that his employment at the company was terminated.

The “unfettered” access that as many as 1,500 WhatsApp engineers allegedly had to user data was of particular concern to Baig, the suit claims.

To paint the gravity of the vulnerability that this places users in, any one of these roughly 1,500 engineers could find and identify an elected official’s geographic location while messaging (through their IP address) and see the contact number of who they were messaging.

The suit claims that in one meeting, WhatsApp head of global public policy, Jonathan Lee asked, “Are we going to be in the same situation as Mudge at Twitter?”, a reference to the Twitter whistleblower Peiter "Mudge" Zatko who raised security and privacy concerns about the social media platform, where he was head of security, in August 2022.

The suit seeks compensation for damages and requests that the court determine whether Meta and its executives violated the Sarbanes-Oxley Act. The Washington Post reported that staff at the FTC and the SEC have interviewed Baig.