Indian-origin cybersecurity expert Attaullah Baig has filed a lawsuit in the US District Court for the Northern District of California for systemic security failures on WhatsApp and retaliation upon expressing his concerns, CNBC reported. Hindustan Times also covered the case and released background information on Sept 10, 2025.
What Baig alleges?
Baig's suit, as quoted by CNBC, states that a security test uncovered about 1,500 WhatsApp engineers with "unrestricted access" to users' data, including sensitive personal information, and employees "could move or steal such data without detection or audit trail." The filing says those vulnerabilities could expose Meta to a violation of federal law and its 2020 privacy settlement with the Federal Trade Commission, CNBC further added. Hindustan Times also reported that Baig says his internal reports were rejected, his performance reviews went down, and he was eventually terminated in February 2025. The Times article also states Baig complained to the SEC and OSHA about retaliation and compliance failures.
Meta's reaction and the stakes
Meta has denied Baig's charges. In a statement to CNBC, a spokesperson for Meta explained the allegations "distort" the work of the team and represent a standard post-employment playbook. Baig’s legal team, which includes whistleblower advocacy group Psst.org, according to Hindustan Times, has argued that his termination was retaliatory. Baig's education and experience (University of Utah; NIT Warangal) are listed on his LinkedIn profile, Hindustan Times reports. While the lawsuit does not allege that user data was actually stolen, CNBC and Hindustan Times note it contends internal practices left millions of users potentially exposed.
