WhatsApp Faces Lawsuit Over Security Chief’s Alleged Improper Dismissal

WhatsApp’s former head of security has initiated legal action against the company’s parent, Meta, writes Thomas Claburn in The Register. The plaintiff alleges an improper dismissal in retaliation for reporting serious security deficiencies.

The lawsuit, Attaullah Baig v. Meta Platforms, Inc., was filed in the US District Court for the Northern District of California. It alleges violations of federal securities laws and the Sarbanes-Oxley Act, as well as potential shareholder fraud.

Baig contends that following his reports, WhatsApp executives issued unfavorable performance reviews as a pretext for his dismissal.

WhatsApp has faced years of scrutiny over its data privacy practices, including a €225 million fine from Ireland’s Data Protection Commission in 2021, another €5.5 million penalty in 2023, and criticism in a 2024 FTC report examining major social media firms.

WhatsApp, acquired by Facebook in 2014 and operating under Meta since 2021, remains bound by obligations under a 2020 FTC privacy order that stemmed from the Cambridge Analytica investigation.

The company is also awaiting a decision in an FTC antitrust case against Meta, which was concluded in May 2025.

According to the complaint, shortly after joining WhatsApp in 2021, Baig discovered systemic security failures that enabled approximately 1,500 engineers to access sensitive user data without adequate audit controls.

In September 2022, he reported six issues he said violated Meta’s legal commitments, including failures to inventory data, monitor access, detect breaches, and prevent account takeovers.

Baig claims he brought his concerns to top executives, including CEO Will Cathcart and, later, Mark Zuckerberg, before filing an SEC complaint in November 2024. Meta terminated him in February 2025.

Lawyers may view this case as an exemplary illustration of the interplay between whistleblower protections and corporate compliance obligations under US securities and privacy laws. The outcome could shape how companies balance regulatory duties, data security practices, and the treatment of internal whistleblowers.