Whistleblower Sues Meta Over Claims of WhatsApp Security Flaws

A former head of security for WhatsApp has filed a lawsuit against Meta, alleging that the social media company ignored major security and privacy flaws that put billions of its messaging app users at risk. The lawsuit, filed in US District Court for the Northern District of California on Monday, claims that thousands of WhatsApp and Meta employees had access to sensitive user data, including profile pictures, location, group memberships, and contact lists.

Attaullah Baig, who was representing by the whistleblower organization Psst.org and the law firm Schonbrun, Seplow, Harris, Hoffman & Zeldes, argued that Meta failed to adequately address hacking of more than 100,000 accounts each day and rejected his proposals for security fixes. Baig had tried to warn Meta's top leaders, including CEO Mark Zuckerberg, that users were being harmed by the security weaknesses.

However, Meta pushed back on Baig's claims, stating that "this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team." The company added that "security is an adversarial space, and we pride ourselves in building on our strong record of protecting people’s privacy."

In 2019, Meta agreed to pay a $5 billion fine and strengthen its privacy policies to settle charges that it mishandled users' information by allowing a British political consulting firm, Cambridge Analytica, to harvest data without permission. The company has also been accused of wrongdoing related to privacy, child safety, and the spread of disinformation on its main platforms.

Baig's lawsuit is just the latest in a string of whistleblower allegations against Meta. In March, Sarah Wynn Williams, a former leader of global policy, published a book that described a series of incendiary allegations of sexual harassment and other inappropriate behavior by senior executives. And in late 2021, Frances Haugen, another former employee, testified before Congress that the company had knowingly created products that harmed teenagers.

Meta bought WhatsApp in 2014 for $19 billion, with many of its three billion users turning to the app for its perceived security benefits, including encryption. However, in June, WhatsApp unveiled ads in some parts of the app, a move that included optional data sharing that some users said was at odds with its long-standing stated philosophy toward privacy.

Baig joined WhatsApp as head of security in January 2021 and conducted a "red-teaming" exercise where employees posed as attackers trying to exploit the service. However, he found that roughly 1,500 WhatsApp employees had unrestricted access to sensitive user data, which was a violation of the company's 2020 privacy settlement with the FTC.

For over a year, Baig repeatedly tried to raise the issue to his supervisor, but was told to "focus on less critical application security tasks." In October 2022, he documented a list of "critical cybersecurity problems" that he considered to be violating the FTC order and securities laws. Meta blocked several security efforts by Baig's team, including a proposed feature that required additional login approval for account recovery and one that prevented profile pictures from being downloaded from the service.

"We have a fiduciary responsibility to protect our users and their data," Baig wrote in the document he presented to top WhatsApp executives. "The penalties can be severe both in terms of brand damages and fines."

Baig's lawsuit claims that Meta failed to address these security flaws, which put billions of users at risk. He also alleges that his managers retaliated against him after he tried to warn Meta's top leaders about the security weaknesses.

"There are just so many harms that the users face," Baig said in an interview last week. "This is about holding Meta accountable and putting the interests of users first."